How can I deny all users directly access image files from images folder?

A

AF

How can I deny all users directly access image files from images folder?
Into the 'application settings' (IIS manager properties) you may add the picture
extensions to the list of files parsed by the Dotnet engine..

Example:
add the executable 'C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll'
to the extension '.jpg'
verbs: 'GET'

Then, you may code any business rule into your global.asax::Application_BeginRequest
method:

string extension = MyUtils.GetExtension(Request.Url.toString());
string referrer = Request.UrlReferrer;
if(extension.Equals("jpg") && (!MyUtils.IsReferrerValid(referrer))
{
Response.Write("direct access denied.");
Response.End();
}


Antonio Fontes
http://www.futureblogs.net/antonio
 
T

Tasos Vogiatzoglou

You cannot. At least you cannot by using a standard mechanism.

If you want to do such a thing, you have to develop a component that
displays the images by requesting them with an identity that has access
to the image folder and then restrict access to all users. Eitherway,
it's not a configuration or trivial task.

A good idea would be to scramble the names of the images so the users
cannot guess the imagefilenames.
 
A

AF

I forgot to say that this method also can be a good practice to
manage a deep bandwidth usage control for example when
a certain amount per client is allowed:

global.asax::Application_BeginRequest()
{
// example url: http://mydomain.com/uploads/1289473/pics/mypic.jpg
string url = Request.Url.ToString();
string filePath = Server.MapPath(MyUtils.ParseUrlPath(url));
long clientRef = MyUtils.ParseClientRef(url);

// get file length
int fileSize = new FileInfo(filePath).Length;

// add to bandwith usage
CustomerUtils.IncrementBandwitthUsage(clientRef, fileSize);
}



Antonio
http://www.futureblogs.net/antonio
 
T

Tasos Vogiatzoglou

And how he is going to display this images to his site ? I thought that
he want to prohibit DIRECT access to the img folder
 
A

AF

And how he is going to display this images to his site ? I thought that
he want to prohibit DIRECT access to the img folder

The beginrequest event is triggered before delivering the resource.
If you read the first code example I've posted, there's a check on
the referrer validity: MyUtils.IsReferrerValid(referrer).

If the referrer is valid, then there's nothing to do... just let the request
processing go on.



Antonio Fontes
http://www.futureblogs.net/antonio
 
A

AF

MyUtils.IsReferrerValid(referrer)
Is that a class you wrote, Antonio ?

This is what I would write. I haven't coded it, it was just needed
to give some example to my answer.


But that could look like:
---------------------------------------------------
IsReferrerValid(string aReferrer)
{
HttpContext ctx = HttpContext.Current;
if(ctx == null)
return false;

string validDomain = MyUtils.GetSettingsFromWebConfig("mydomain");
string currentDomain = ctx.Request.Url.Host;
if(currentDomain.Equals(validDomain))
return true;
else
return false;
}
---------------------------------------------------

The valid domains list could be a single item in web.config, or an
arraylist retrieved from a database or whatsoever.


Antonio Fontes
http://www.futureblogs.net/antonio
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,898
Latest member
BlairH7607

Latest Threads

Top