i have a website, some folders on the websites contains images and files like .pdf , .doc and .docx . the user can easly just type the address in the url to get the file or display the photo
http://site/folder1/img/pic1.jpg
then boom.. he can see the image or just download the file
my question is: how to prevent this kind of action, how can i guarantee a secure access of the files.
any suggestions
UPDATE TO CLARIFY MY IDEA
i don't want any user who is browsing the website to get access to these files normally by just writing the URL of the file. those files are a CV files, they are being uploaded by the users to a specific folder on the server which we host outside the company. those files are only being viewed by the HR people through a special system. that's the scenario we want. i don't want a WEB GEEK who just wants to see what files has been uploaded to this folder to download them easly to his/her computer and view them or publish them on the internet. i hope you got my idea
To increase the security of your files you can put them in a directory outside the webroot, and then stream them to your webpages via a script. On top of this, the script that streams them has to be on an access controlled page. You can use .htaccess but I prefer a more flexible login system.
You can store the files being uploaded into a directory outside your web application, so that it is not directly accessible via a URL; this will ensure that the web server will not serve these files via a requested URL.
When you have to serve these files, ensure that the user who has requested for the file does have access to it. In other words, check if the user is authorized to view the files - you might want to authorize the original user who uploaded the file and the HR users to have acccess to the file.
Since the web server does not have direct access to the files, preventing it from serving them, you will have to write a server-side script in a language of your choice (PHP/ASP/JSP etc. since you didn't indicate any) that will upon post authorization checks, retrieve the file and serve its contents to the user.
You can check the HTTP Referrer header as a way of checking that the link came from your site. Note that the referrer can be faked, but if you're just looking for a simple way to catch most folks, this does work.