Good evening,
Question: I am using a photo album module and have a few private family pictures in there that I want to protect. So I make the album module only readable by family members. So far so good. Now, when I point my browser to the directory and the filename of the image file it displays on the screen regardles wether or not they are logged on. I disabled directory browsing on my webserver so that makes it a little bit more secure. I even tried to .htaccess protect the directory where the images were stored, but the problem then is that the system asks for a password when displaying the photos, even if the user is logged into xoops.

Is there any way I can protect the image files without it affecting xoops? My photo album is eventually not the only module I want to protect from outside interference. The predictability of the filenames in the myAlbum-p module is alarming also. It creates the images with numeric names starting at 1 and increasing by one for every image. So if you know the upload directory it's ridiculously easy to download all the images. Any ideas what I could do?

Elevator.

Just had a thought.... is it possible to use blobs in the MySQL database? i.e. store all the pictures directly in the database instead of as files on disk? Has anyone had any experience with this and how would I go about converting the PHP code to do something like this?

Elevator.

You can use blob, the core images table can optionaly store as binary in the table. I think you are trying to avoid direct file calls? Other album modules might do this without pulling the image from the db.

Your module shouldn't allow access or direct linking if the rights are correct. Are anonymous users allowed any access? I don't use the same photo album but ideally the images would be called from a single script and processed instead of a direct call that can be predicted.

So I'm now curious. One more little trick is to drop in an index.html file with:


That pushes them back where they came from if an unwanted directory call is made.

DonXoop,
Thanks for the reply. Yes, you're absolutely right. I am trying to disallow/avoid direct file calls. I have made no changes to the module (and it must be a module problem, because I tried to access private images on websites using the same module, and had no problem, even without logging in).

Dropping the index.html file that you mentions has no effect because I have already disabled directory browsing, so all they'll see then is an access denied message. The problem is; if you know the filename and folder of the image file, simply inputing that path in the URL bar will show the image regardless of wether you are logged in or not. I did report this on the forum for the myAlbum-p module that I am using, but so far has no replies. I am sure there must be something I am missing, because I can't see how this can't be left so open. All the other modules I currently use doesn't have security mechanisms that can be so easily circumvented.

Let me ask this; what's the best way for an image module to store images so that they can't be accessed. I tried to .htaccess protect the photos directory, but then I get that pesky little password box even if the user is logged in.

Elevator.

This is a normal behavior. The files aren't parsed through a php file, so there is a direct call. This is normal, but can ofcourse be fixed.

Some sites let all images go through a php file, and check on the referer. The problem is that more and more people have software on there pc (NIS - Zonealarm) that blocks the referer at default settings.

You `could` however check wether the user is logged in or not. But then you will have to include mainfile.php for every image call, and could be a real minus for the cpu of you server

You might want to check these pages:
http://www.alistapart.com/articles/hotlinking/
http://www.webmasterstop.com/tutorials/prevent-hotlinking.shtml
http://www.htmlcenter.com/tutorials/tutorials.cfm/159/php/

And, if you really want to look into solutions for coppermine:
https://xoops.org/modules/newbb/viewtopic.php?topic_id=16542&forum=4 (the solutions are for the original version, but with a bit php knowlodge and logic it is possible to implent into the XOOPS version)