How can I prevent the pictures being seen without log on?

afu

Joined: 2008-11-03
Posts: 4
Posted: Wed, 2009-03-25 18:30

First of all, all the pictures on the server are permissioned to be seen by registered user only. There is no permission granted to 'everybody'.

The following is what I found:

First I log on, go into an album, view a picture. At this moment, the address bar shows an url address of the picture: http://server.com/gallery2/main.php?g2_itemId=1234. But if you right click on the picture and select 'properties', you will get a different url address: http://server.com/gallery2/main.php?g2_view=core.DownloadItem@g2_itemId=1234&g2_serialNumber=1

Now I log off. Type the first address into the address bar of my browser, as expected, it brings me to the log on page of gallery2. So far, so good. But if I type the second address (the one copied from properties), surprise! The picture is right in front of me!!!

Is it a security problem? How can I prevent the pictures being seen without log on?

Thank you very much the help.


Gallery version (not just "2"): 2.3
PHP version (e.g. 5.1.6):
PHPInfo Link (see FAQ):
Webserver (e.g. Apache 1.3.33): Apache 2.2.3
Database (e.g. MySql 5.0.32): MySql
Activated toolkits (e.g. NetPbm, GD):
Operating system (e.g. Linux): Linux (FC 6.0)
Browser (e.g. Firefox 2.0): Firefox 3.0.7
 
alecmyers

Joined: 2006-08-01
Posts: 4338
Posted: Wed, 2009-03-25 18:58

have you cleared your browser cache?
 
nivekiam
nivekiam's picture

Joined: 2002-12-10
Posts: 16503
Posted: Wed, 2009-03-25 19:12

And have you tried a different browser or different computer?
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here
 
afu

Joined: 2008-11-03
Posts: 4
Posted: Wed, 2009-03-25 19:31

Oops, my bad. Completely forgot about cache.

After I clear the cache, then type in the second address, I got an security violation message, which make sense.

Thank you very much.