Storing/serving images securely and efficiently

What is the best practice for storing and serving images securely
without
hurting performance?

Is it possible to store user images in a folder that’s not web
accessible
(possibly higher up and before /www?) and serve on demand after the user
has
logged in to the page? There is a username and password access
mechanism
already in place.

The users don’t want these images to be publicly accessible.

I am running nginx with php on Ubuntu. Database is mysql.

Thank you.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,233756,233756#msg-233756