How to restrict access to certain kind of content, with apache or .htaccess?

I'm building a site in which users can upload photos, and they can mark them as private, so no one can see them.

I know how to use an ACL-based system in php, but anyone will still be able to access the photos if they have the direct link to the image file.

Eg: User 1 wants to share Photo A with User 2, so he grants him access. User 2 right clicks on th开发者_如何学运维e image, and copies its url, eg 'http://example.com/private123.jpeg', and sends it to User 3. Now user 3 can see the image he shouldn't be able to see.

To sum up, I need a way to protect images based on user permissions, but still have them loading lightning fast (so running a php script each time an image is requested, is discarded).

Is it possible with apache? I was thinking that maybe I could set up a cookie when the user logs in, and let apache check that somehow. I don't care if cookies can be faked, 99,99+% of the users won't know how to do that, and the photos don't need more security than that.

---

Keep all the images in their own directory, and in that directory, put a .htaccess file with this in it

RewriteEngine On
RewriteCond %{HTTP_COOKIE} !^.*name-of-my-cookie.*$ [NC]
RewriteRule .* /whatever/page [NC,L]