0

Probably a bit of general question, even tho' it's specific to a certain type of website/application, but will give it a shot regardless. I'm a bit confused wether or not I should be caching my thumbnails for my current project, normally I would, but I'm not sure about this project. I'll explain my situation better to give a better understanding.

I have a stock photo website, for celebrity, news and sport photos, that show authorised clients (newspapers & magazines) our entire library. These photos have some value and I have gone to great measures to ensure the larger photos are either hidden on Amazon S3, or above the root directory, with expiring and hashed links, so I don't want to jeopardize my photos by adding a cache when I shouldn't be or adding an incorrect cache. A typical user may search for a photo and never see it again or they might save a photo to their favorites and see it twice-daily. A user could also browse 10,000 photos in a couple of minutes.

My question is; should I have no cache at all or have a limited cache, for say, 1 hour, or 1 day? If I set a cache expiry for a photo, will that be accessible to my client on their browser, under say 'cached images'? Is there any other security issues with caching valuable photos?

I know about screen-grabbing, printing and the rule; if you don't want it stolen, don't put it on the web, but I want to do the best I can in my application for security and speed.

I'm using PHP (5.2.17) for loading images from Amazon to my client's browser using PHP's ReadFile() and IMG elements like <img src="loadImage.php?p=2342dfsfsdfwf2dfsf">.

To clarify what type of caching:

<?php
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
header("Content-Type: image/jpeg");
readfile($url);
?>
TheCarver
  • 19,391
  • 25
  • 99
  • 149
  • You mean *browser* caching?? Or caching thumbs generated server side? – Hamish Jul 23 '12 at 02:31
  • @Hamish: Server-side, when I pull the image from Amazon and print to screen (loadImage.php), I can add a cache header. Currently, for thumbnails, I have not supplied a cache header. This is what I am questioning. – TheCarver Jul 23 '12 at 02:37
  • 2
    A cache *header* is for the client, not the server. – Hamish Jul 23 '12 at 02:38
  • @Hamish: I got confused sorry. I want to set the cache for the client's browser, in my php script (image/jpeg) headers. See bottom of question. – TheCarver Jul 23 '12 at 02:41
  • Why not watermark previews? If you images are viewable by authorized clients and you're *that* fearful they're stealing from you, I wonder what your real problem is. – Jared Farrish Jul 23 '12 at 02:46

1 Answers1

2

If you are extremely concerned about the security of the images, then I would say do not cache them at the expense of using more bandwidth (and a slower loading time). If you are more concerned about bandwidth usage than security, cache them.

However, if they are truly thumbnails, they should have little value to a user if they are small, of low quality, etc. One solution would be to watermark the images.

In theory, it is possible to extract images from a browser's cache (http://protechgeek.com/how-to-extract-images-from-browser-cache/), so if they are cached, they can be retrieved. Even easier, someone can screen grab as you mentioned, or right-click and copy/paste. A watermark is the only solution to this.

tl;dr

In my opinion, I would not think it's worth the extra bandwidth hit and increased loading time for a minimal security increase. Use watermarks instead. There's a reason that the majority of stock photo websites use watermarks-- they are the only way to prevent someone from outright stealing the image (even though, depending on the image and watermark, it can be removed convincingly by a skilled Photoshop user)

Andrew M
  • 4,208
  • 11
  • 42
  • 67
  • The only way is screen-grabbing, I have a transparent image overlaying the photo, so right-clicking just grabs a blank.png file. I would prefer speed over security on the thumbs I suppose, bandwidth isn't an issue for us. How long of an expiry should I give each photo? – TheCarver Jul 23 '12 at 02:53
  • It's very easy for a determined user to use a web inspector to remove the transparent PNG. The cache time depends on what sort of behavior your users will engage in-- I'm not an expert in caching though, so someone else may want to pitch in on that. – Andrew M Jul 23 '12 at 02:55
  • 2
    @PaparazzoKid - Why not make it five minutes? Three? Because, you know, the real issue you seem to have is that someone can download a high-enough res copy of your image *as a resource*. Give anyone competent in DOM traversal 15 seconds and they would have your source file; give those same people an hour or so and they could have a script running in a browser (Chrome extension?) that would just download your images. Script a down res copy, watermark as a preview, save it and give it a realistic cache time for your user. Then offer your user the ability to access a higher res on payment. – Jared Farrish Jul 23 '12 at 02:59
  • Andrew, if someone is "dedicated" enough to pixel-fit remove a watermark clean enough to be non-detectable will probably not be thwarted by much. That's what lawyers are for. – Jared Farrish Jul 23 '12 at 03:04
  • @JaredFarrish: "Give anyone competent in DOM traversal 15 seconds and they would have your source file; give those same people an hour or so and they could have a script running in a browser (Chrome extension?) that would just download your images." - **Does that still apply even though I don't store any photos on my server?** – TheCarver Jul 23 '12 at 03:08
  • @PaparazzoKid - Just because you have a pass-through page doesn't mean it's now "magically" disappeared. For a browser to display it, you have to have it in one piece, and once it's cached, it's a literal file to that browser for the period of it's cache. – Jared Farrish Jul 23 '12 at 03:15
  • @PaparazzoKid - I guess what I'm saying is just giving them the actual file (or one good enough to be used) is the real exposure, not the cache per se. One hour is fine, six hours could work if they visit alot. It may be beyond your technical skill to do auto watermarking with something like GD or ImageMagick, which I understand. But the caching technique you're describing will not really thwart anyone from taking your work, it really will impact their experience on your site (slow loading, etc.). – Jared Farrish Jul 23 '12 at 13:07
  • @JaredFarrish: I'm very capable of auto-watermarking, thank you. Nice of you to judge my 'technical skills' on a caching question. You need to step down from your ladder a little my friend. I'm just unfamiliar with caching techniques on a busy photo app, where 15,000 photos can get cached in a session, and what the best approach is. Anyway, you may not have the technical skills to read a question properly, but you will see that I'm not asking about 'preview' sized images, I'm talking about thumbnails, which would look a little silly watermarked. – TheCarver Jul 23 '12 at 15:58