I have the following problem:
I have several image galleries which should only be visible to registered user.
The images are in one directory per gallery, each dir with a long, cryptic name.
But if you know the link, you can access the images without authentication.
Since I am using PHP on the server side, a simple approach would be "readfile" with .htaccess, but I do not want to pass hundreds of images through php.
So I tried a different approach: I used basic http authentication, with a dynamic generated .htpasswd file, containing access data for each loggedin user, which is resetted after 24 hours and after every logout of a user, so links on the images are broken after max. 24 h.
But I do not want the user to type in the cryptic, auto-generated username and password for this authentication, so I use urls like this:
http://username:password@path-to-image
That works perfectly in chrome, but in FF, when I want to include more than one image, the dialog to enter username and password appears for some of the subdirs of the protected one.
An example: I have the following dirs:
/gallery/one/
/gallery/two/
The protection is in an .htaccess file in /gallery/
And sometimes firefox only loads the images from /gallery/one/, sometimes only from /gallery/two/, sometimes none of these, sometimes both. If he doesnt load at least one of these, he asks to enter your username and password.
I cannot explain this behaviour, and I havent found a solution to make FF safely accept more than one url with username and password in it without asking.
Is there a solution for this problem, or do you have any other way to safely protect files on the server?
Thanks in advance.
PS: I have heard of mod-xsendfile, but it cannot be installed on my webhost.
