5

I was wondering if there is a way to secure an image or a file to be hidden when it is not authenticated.

Suppose there is an image in my website which can only be seen if that user is authenticated. But the thing is I can copy the url or open the image in the new tab. 

http://siteis.com/media/uploaded_files/1421499811_82_Chrysanthemum.jpg

And again, even if I am not authenticated, I can view that particular image by going to that url. So, my question is or my problem is, how do I secure the files, so that only authenticated users will see. I hope I was clear, if not please ask. I will really appreciate if you could help me. And if possible in a pythonic/django way.

alecxe
  • 1,515
  • 5
  • 19
  • 34
Robin
  • 153
  • 4

1 Answers1

5

One solution is to forbid access to the folder where the sensitive files are stored, so that it is not possible to access them directly. For example, place these files under http://siteis.com/secured_uploaded_files/ and place a .htaccess file there (for apache) to prevent access. You can also place the files outside the web server's document root.

Step two is to write code for the following behavior:

URL: http://siteis.com/getfile?id={long_random_identifier}

When the above url is accessed, the server checks if the user is authenticated and authorized to access the resource identified by the given identifier. If the checks are successful, read the file from its location using server side code and stream it in your response.

Dinu
  • 3,166
  • 14
  • 25
  • I solved it by the second method of checking whether the user is authenticated. Thank you. – Robin Jan 19 '15 at 19:27