Coffeehouse Thread

6 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Preventing direct access to image files in browser

Back to Forum: Coffeehouse
  • User profile image
    itsnotabug

    hello gurus! looking for some direction...

     

    what's the best way to disallow direct browsing access to an image file (www/images/myImage.jpg)? we're using a custom authentication scheme on the secure pages (not using the built-in asp.net membership), but image files that live under the images folder that are used on those secure pages are still accessible in the browser if you know the exact url to navigate directly.

     

    asp.net 2.0

    iis 6

     

  • User profile image
    W3bbo

    If you were on IIS7, you could conceivably get it to apply ASP.NET Authentication to generic image files, but anyway...

     

    You'll have to stop serving those image files directly and instead serve them via an *.ashx generic handler that does the authentication check, otherwise returns error 403.

  • User profile image
    rhm

    W3bbo said:

    If you were on IIS7, you could conceivably get it to apply ASP.NET Authentication to generic image files, but anyway...

     

    You'll have to stop serving those image files directly and instead serve them via an *.ashx generic handler that does the authentication check, otherwise returns error 403.

    Yeh, or you can use the url rewriting module (which I think is available for iis6) to rewrite the requests for that images directory so they call an aspx page with the original url as a parameter. Then check whatever you like before changing the content type and spitting out the contents of the file. There's probably tons of examples of how to do this if you search the web - particularly stackoverflow.com

     

  • User profile image
    itsnotabug

    eeeek... we have thousands of legacy html files containing img links to different sub/image directories read and served in a pseudo masterPage.aspx.

     

    i'm working through this article but something isn't working with my example app... no image: http://www.15seconds.com/issue/070104.htm

     

  • User profile image
    figuerres

    itsnotabug said:

    eeeek... we have thousands of legacy html files containing img links to different sub/image directories read and served in a pseudo masterPage.aspx.

     

    i'm working through this article but something isn't working with my example app... no image: http://www.15seconds.com/issue/070104.htm

     

    but you have some images that you need to protect not all of them i hope ?

     

    if it's just some images you can put them in a folder that only your code can serve up and you can protect that folder from direct download.

    then leave the rest alone.... wherever they are.

  • User profile image
    sysrpl

    What you can do is this, move all the images to a new folder, write a custom error handler page for 404, inside the error handler check the requested file name (was the client requesting an image from your old images folder?) and referer (was the request originating from  a page on your site?).

     

    If the request was for an image in your old images folder and referer was from a page on your site, set the content type to the type from the requested name (e.g. /images/beach.jpg = Content-Type: image/jpeg), opean a stream, read from the secret moved location, send the bytes.

     

    If request wasn't for an image in your old images folder or if the referer is outside your site (e.g. blank), redirect to whatever page you want, such as a creative 404 page, or redirect them them back your home page, or maybe even generate a page warning people not to hotlink images.

     

    They could still get the images by writing something which creates a header with a false referer, but this should be good enough for most cases, especially since they don't know you are checking the referrer.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.