I'm using encypted file paths in my project and also all my uploaded are stored in folders in a path parallel to the web root folder:
- webroot: /var/www/html
- upload folder: /var/www/uploads
With this setup it's not possible to browse to the file path even if you know the filename.
Also it's not possible to hotlink to files unless you're logged into the site.
However it is possible for one logged-in user to share a file link with another logged-in user and they are able to open it.
I think this should be made impossible by default if file path encryption is turned on.
It shouldn't be too difficult to add a personalised encryption key into the file path, so that the file cannot be accessed without that key/user combination.
Is there a setting that I have missed which would disallow file hotlinking between logged in users?
Also what encryption method is used for file path encryption?