LycheeOrg
Add a login-based protection system for images
Currently Lychee has the option to use a symlink-based obfuscation and expiry method (#295) to protect images from unauthorised downloads or hotlinking.
In Lychee v3, a plugin (lychee-webroot) was available to run all image requests through Lychee's access system to limit download of private photos to authorised users. This sort of approach will result in a slower response (as Lychee is getting involved and adding cycles to every request) but provides reassurance that only authorised users can download the images.
NB #304
From @kamil4 in #304: (Also now in the FAQ)
Right now, the protection is basically through the use of difficult to guess names (it's an MD5 checksum of the system time at the time of upload). #295 not only made those names temporary (this needs to be enabled in the Settings, BTW) but it also provided optional support for hiding the full-size version (this is only effective with symlinking as without it the URL can be derived from that of intermediate-size images).
@ildyria recenlty posted the following link on how a more effective protection could be implemented: https://bedigit.com/blog/laravel-5-how-to-access-image-uploaded-in-storage-within-view/. He didn't go down that route himself due to performance concerns but I agree that if somebody contributed a clean implementation as an option, we'd probably accept it.
A bit OT, but may be interesting for someone: solved similar problem by .htaccess + corresponding Apache authfile in BIG subfolder of uploads. Bulletproof :) If "stealing" problem occures (Apache logs), I just remove "garrulous" user from auth file. Hotlinking and leeching is finished in a few secs.
