If you make the images unreadable for the world (directory outside the www dir for instance, or just block it with a .htaccess (no need for referral check) you can be sure that nobody can access your image.

Then serve your image through a file (e.g. getImage.php?imageid=xxxx) that checks credentials, and if OK then reads the image (your php process can read the image, e.g. with file_get_contents() ) and then serve it up.

(use the correct header and you'll be fine: header("content-type: image/your_image_type"); )

To secure a file you can do one of following two things

1. Place the file in a secure area (out of your public accessible folder). Have its name stored in database and when somone clicks on download you pick that file up and let them download it.
2. Never reveal the file url to public. When someone wants to download an image they will click on download and you can use timestamp to generate a unique filename at that time and transfer the download with alias filename. Obviously the file wont actually exist on the server. You are just picking up the original file and changing its name so when someone recieves it they would not be able to guess its path. However if by some reason the path went out public then they can access the file.

Option 1 is mostly used when people store documents signatures etc Option 2 can be used if you dont have access to such folders like in shared hosting environment etc.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css)$ - [F]

Be sure to replace "mydomain.com" with your own. The above code creates a failed request when hot linking of the specified file types occurs. In the case of images, a broken image is shown instead.