Only checking if the cookie exists, is not much of a strict protection.
To get a stronger protection, you can pass or “proxy” all requests to the uploaded folder (exemplary uploads
in the following example) through a php script:
RewriteCond %{REQUEST_FILENAME} -s
RewriteRule ^wp-content/uploads/(.*)$ dl-file.php?file=$1 [QSA,L]
All requests to uploaded files (which includes images in posts) would go to dl-file.php
which then can do verify if the user is logged in or not.
If the user is not logged in, your sites login-form will be shown. After the user logged in, she will get redirected back to the file and can download it now.
Something similar can be found in \wp-includes\ms-files.php
in your wordpress installation, but that one is for multisite and w/o the login check and redirects.
Depending on how much traffic you have, it could be wise to better integrate this with your server, e.g. X-Accel-Redirect
or X-Sendfile
headers.
11
solved How to Protect Uploads, if User is not Logged In?