I have a web server that provides access to public and private images. Anyone can get a public image via the url such as https://example.com/public/images/some-public-image.jpg. But for private images, only the owner of the image can access them via the link https://example.com/private/images/some-private-image.jpg, the request needs to have the session id of the authenticated user in the cookies.

To add a public image in an email content, I use <imag src="https://example.com/public/images/some-public-image.jpg" />in the email HTML content. But cannot use the private link such as <img src="https://example.com/private/images/some-private-image.jpg" /> because it needs authentication.

What is the common practice to add a private image to the email content?

Is it okay to embed a JWT token in the link like this

<img src="https://example.com/private/images/some-private-image.jpg?token=AdflkndidgX..." />

The server then checks the token validity before returning the image.

Does this approach has security problem?

1 Answers

Marco De Simone On

If your token is valid only for that image, and it can't be used for other scopes (like authentication with other API's for example), using it is not a problem. The problem is that all the authentication is based on the knowledge of image link. So if you generate an image using a guid for the name, it's the same.

However, you are not identifying the user that opens the image, you are just checking that someone knows that link. An attacker that steals the link can view image without any credentials knowledge and without doing the access. Are you sure that this is the behaviour that you want for your application? The best way is to send a mail without sensible informations (image) and to force the user to click to a link that authenticates him.