限制访问我网站上的图像(通过我自己的html除外) [英] Restrict access to images on my website except through my own htmls

问题描述

在我的网站上，我以简单的方式存储用户图片，例如: "image/user_1.jpg".

On my website I store user pictures in a simple manner such as: "image/user_1.jpg".

我不希望访问者仅通过尝试user_ids就能查看服务器上的图像. (例如:www.mydomain.com/images/user_2.jpg、www.mydomain.com/images/user_3.jpg，等等...)

I don't want visitors to be able to view images on my server just by trying user_ids. (Ex: www.mydomain.com/images/user_2.jpg, www.mydomain.com/images/user_3.jpg, so on...)

到目前为止，我想到的是三种解决方案:

So far I have three solutions in mind:

1. 我尝试使用.htaccess来密码保护"images"文件夹.这在某种程度上帮助了我，但是有些图像开始在我的html上弹出用户名和密码请求(而令人惊讶的是有些图像没有)，因此这似乎是一种不可预测的方法.

1. I tried using .htaccess to password protect the "images" folder. That helped me up to some point but some of the images started popping up a username and password request on my htmls (while amazingly some images did not) so this seems to be an unpredictable method.

我可以开始用一些盐将user_id转换为md5哈希.这些图像将被命名为:/image/user_e4d909c290d0fb1ca068ffaddf22cbd0.jpg.我不喜欢这种解决方案.这使文件系统变得很复杂.

I can start converting my user_id's to an md5 hash with some salt. The images would be named as: /image/user_e4d909c290d0fb1ca068ffaddf22cbd0.jpg. I don't like this solution. It makes the file system way complicated.

或者我可以使用PHP的readfile()函数，或者使用Perl或Python中的类似函数.例如，我可以使用md5字符串传递密码，以将访问者验证为可以访问该图像的登录用户.

or I can user PHP's readfile() function or maybe something similar in Perl or Python. For instance I could pass a password using an md5 string to validate visitors as loggedin users with access to that image.

我倾向于选项3，但是具有Perl或Python角度(假设它们会比PHP快).但是，我希望看到其他有关此事的想法.也许有一个简单的.htaccess技巧吗?

I'm leaning towards option 3 but with a Perl or Python angle (assuming they would be faster than PHP). However I would like to see other ideas on the matter. Maybe there is a simple .htaccess trick to this?

我基本上要确保的是，除非从我网站上托管的html中直接调用图片，否则没有人可以从我的网站上查看图片.

Basically all I want to make sure is that no one can view images from my website unless the images are directly called from within htmls hosted on my site.

非常感谢

哈卢克

推荐答案

方法#1不可行，因为它会在每个请求的图像上要求用户名和密码.由于缓存问题，您可能会提示某些图像，而不是其他图像.

Method #1 is not viable as it will ask for user name and password on each and every image requested. You probably got the prompt for some of the images and not for others due to caching issues.

方法2对我来说最吸引人，因为它占用最少的处理器，但是只有通过md5函数传递的user_id，文件名仍然很容易猜到.您应该使用md5(我的秘密字符串".$ user_id)以获得更好的解决方案.

Method #2 looks the most appealing to me by being the least processor intensive, but with only the user_id passed through the md5 function the file name still quite easily guessable. You should go for md5('my secret string'.$user_id) for a better solution.

为什么要通过Perl或Python选择#3? PHP的速度有什么问题?的确，如果您以这种方式保护图像，则应该花更多的时间将其移出Webroot并移至Webroot上方，以便只能通过脚本访问它们，脚本首先检查用户是否已通过身份验证，然后通过读取头像来传递头像并输出.或者，您可以使用一个名为deny from all的htaccess文件保护该目录.

Why are you picking #3 via Perl or Python? What's wrong with PHP's speed? Indeed if you're protecting your images this way you should go to the extra length of moving them out and above your webroot so they're only accessible via your script which first checks if the user is authenticated and then passes the avatar by reading it and outputting it. Alternatively, you could protect the directory with an htaccess file saying deny from all.

另外，您应该通过PHP或通过.htaccess 来获得HTTP_REFERER安全.

Plus you should go for a HTTP_REFERER security either via PHP or via .htaccess.

祝你好运！

这篇关于限制访问我网站上的图像(通过我自己的html除外)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！