How to restrict access to file so only owner can access?

Question

I'm looking for an answer to a question similar to this one: protect users' file being accessed so only owner can access?

I am writing a web application in php where users can upload their own files or images, but how can I protect these files from being accessed by others other than the owner.

and the solution which was accepted for this question is ok, so I'll "proxy" requests for files through a special script which will check if a user is allowed to use this file.

BUT I want to do this without querying the DB. So, I guess, it should be possible to detect if a user has access to a file by its location or name.

Because of specific location I can not put all user files into folder with the user id in its name, so I think about file names, where part of name will contain user id. So file names can be like this:

1_pic.jpg, 2_pic.png, 1_pic.gif etc, where the digit at the beginning of the name = user id

Then I'll be able to easily parse the filename, and compare the user id from there with the user id from the session, and check this way whether a user is the file's owner.

What do you think about such an approach, what disadvantages does it have?

Thanks in advance!

Answer 1

As long as you only have to check whether the user trying to access the file is the user that originally uploaded the file your apporach is perfectly fine. Make sure the directory is NOT accessible via the document root, so the files are still safe in case your script or a .htaccess file fails. Also make sure the filenames cannot collide for different users.

Answer 2

I can't imagine the function would add that much load to the database. However, if that's a concern, then create a secure login system that DOES access the database. It would only need to do it once per session, so that's not much server load. Once the user is logged in, set a value in a session variable that can be used from then on that tells the script the user can have access to the files.