Basically, all the files within the Apache directory are not accessible, except for the images. The images should be accessible but only if loaded trough the website. If I set the Apache rule based on the referer is very easy to by pass: http://www.mustap.com/phpzone_post_62_how-to-bypass-the-referer-se Of course it's not the right choice.
My Apache conf file:
<Directory /var/www/path>
Order allow,deny
Deny from all
Options -Indexes
# Check against the referer, first level check
SetEnvIf Referer domain1\.com domain1
SetEnvIf Referer domain1\.com domain2
<FilesMatch \.(jpg|jpeg|gif|png)$>
Order deny,allow
Deny from all
Allow from env=domain1
Allow from env=domain2
</FilesMatch>
</Directory>
How can I solve this without putting the images in a DB?
Thanks
One way to know for sure is to run all your images through a PHP script which uses something like readfile() to check the requested image and then output it.
For example: site.com/image.php?name=logo.jpg
The script could check if the user has a session on your site, if they don't then it means they are requesting the image without viewing the site first (unless cookies are disabled).
This is going to increase load time though so you have to consider the cost/benefit of implementing.