Hi,

I have a directory that contains html, php & image files that I want the user to have to log in to view. I don't want to use .htaccess as I want to be able to present them with a nice login page and also to be able to store logins in the DB.

Normally I would add a session["isloggedin"] after they had succesfully logged in and then simply add a check at the top of each php file checking if the session var is true or not.
That's great for php (and to an extent html) pages, but I also want to be able to block them from viewing any images unless they are logged in.

Can this be achieved?

Thanks
F

sure. make a PHP script that spits out images and instead of linking directly to the images, link to the script. you can use imagecreatefromjpeg() or the similar PNG/GIF alternatives to send the image to the browser, or you could send the headers yourself and just read the file in. you can check the session in this script to make sure they are allowed to view images. then to make sure they can't "accidentally" stumble upon your directory, make sure it will have an index file so that the directory listing can't be viewed.

because of the nature of images (they'd be easy to look at if someone knew the filename and a possible image location), you should throw them either A: into a directory that has the name of a SHA/MD5 hash so that a regular user couldn't just find them, or B: rename all images to an MD5 hash of their actual filenames (or their file contents) and then store how to reference them in a database or come up with a different way of handling them. if you wanted, you could also store the images IN a database, but that may not be the best idea -- depending on how many people will be using your website and how big your images are going to be. for a download site I made, I created an MD5 hash of the file's contents and named each file that hash. then, my database kept its actual filename, content-type, and the hash that it is associated with (along with other miscellaneous information) so that my download script could log how many people were downloading what and all.

and you should scrap using any plain HTML files, because you can't really stop anyone from viewing a static page. even if it doesn't have any PHP in it, make it a PHP file and add something that will check the session and redirect to a login or something if it doesn't exist.

Nice one Kows,

That has certainly pointed me in the right direction.

Thanks!