On my website I store user pictures in a simple manner such as: \"image/user_1.jpg\".
I don\'t want visitors to be able to view images on my server just by trying us
Any method you choose to determine the source of a request is only as reliable as the HTTP_REFERER information that is sent by the user's browser, which is not very. Requiring authentication is the only good way to protect content.
You can look up "Hotlinking prevention" via htaccess and i think that should be a simple solution for the type of protection you need. However its not fool proof , people who will really want to get those images will find a work around by faking the referrer.
http://altlab.com/htaccess_tutorial.html
Method #1 is not viable as it will ask for user name and password on each and every image requested. You probably got the prompt for some of the images and not for others due to caching issues.
Method #2 looks the most appealing to me by being the least processor intensive, but with only the user_id passed through the md5 function the file name still quite easily guessable. You should go for md5('my secret string'.$user_id) for a better solution.
Why are you picking #3 via Perl or Python? What's wrong with PHP's speed? Indeed if you're protecting your images this way you should go to the extra length of moving them out and above your webroot so they're only accessible via your script which first checks if the user is authenticated and then passes the avatar by reading it and outputting it. Alternatively, you could protect the directory with an htaccess file saying deny from all
.
Plus you should go for a HTTP_REFERER security either via PHP or via .htaccess.
Good luck!
As has been said hotlinking protection does not protect your files from listing just by altering their id. Plus Refferer can be easily faked.
In this case I would recommend some kind of authentication. You must create PHP script that will serve images only if it verify logged user via COOKIES or SESSION. (I wouldn't recommend using md5 of user password).
Maybe you'll need some SQL table to save access permissions.
Oh and to protect your images you can just place .htaccess with
deny from all
to the images folder.
You are right considering option #3. Use service script that would validate user and readfile() an image. Be sure to set correct Content-Type HTTP header via header() function prior to serving an image. For better isolation images should be put above web root directory, or protected by well written .htaccess rules - there is definitely a way of protecting files and/or directories this way.