Protecting image files

[Ryan Moore]

I am creating a site that has an "Uploads" directory where users can upload
image files (let's say .jpgs and .gifs). When a user uploads an image, the
system creates a directory within this "Uploads" directory to place their
image in. What I would like to do is protect the ENTIRE uploads directory so
a user cannot navigate directly to http://mysite/uploads/2/img.jpg without
logging into the site first (I'm using forms authentication). I'm trying to
protect the image files using the following in my web.config:

<httpHandlers>
<add verb="*" path="*.jpg" type="System.Web.HttpForbiddenHandler" />
<add verb="*" path="*.gif" type="System.Web.HttpForbiddenHandler" />
</httpHandlers>

but it has no effect. What can I do to accomplish this?

thnx

 

[Craig Deelsnyder]

I am creating a site that has an "Uploads" directory where users can upload
image files (let's say .jpgs and .gifs). When a user uploads an image, the
system creates a directory within this "Uploads" directory to place their
image in. What I would like to do is protect the ENTIRE uploads directory so
a user cannot navigate directly to http://mysite/uploads/2/img.jpg without
logging into the site first (I'm using forms authentication). I'm trying to

You have to add the file extensions (or I should say remap them) to the
aspnet dll in IIS. Right now, what's happening is the request for those
is never making it to the ASP.NET process, cuz IIS is handling them
differently. Hence your forms authentication is never checked.

Go into IIS, I believe under the 'Configuration' button on your virtual
directory, and map all extensions you want to protect to the ASP.NET dll
(see the .aspx extension for the value to copy).

 

[Kevin Spencer]

Of course, the easiest remedy is to place these files in a folder that is
not exposed to the web server.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.

 

[Simon]

I am creating a site that has an "Uploads" directory where users can upload
image files (let's say .jpgs and .gifs). When a user uploads an image, the
system creates a directory within this "Uploads" directory to place their
image in. What I would like to do is protect the ENTIRE uploads directory so
a user cannot navigate directly to http://mysite/uploads/2/img.jpg without
logging into the site first (I'm using forms authentication). I'm trying to
protect the image files using the following in my web.config:

<httpHandlers>
<add verb="*" path="*.jpg" type="System.Web.HttpForbiddenHandler" />
<add verb="*" path="*.gif" type="System.Web.HttpForbiddenHandler" />
</httpHandlers>

but it has no effect. What can I do to accomplish this?

thnx

I am also trying to create the same idea on my web site that is hosted
by yahoo I cant get started have you any tips for me html with a php
script or all html i would be interested in how you got this far. with
your problem can you not password protect that directory.

 

[richlm]

Have you added the file extensions .jpg and .gif to be processed by the
ASP.NET ISAPI extension?

In IIS 5.0 you can do this via the "configuration" button under properties
for the virtual directory in question.

Once you do this, you should not need the ForbiddenHandler.

Richard.