限制对文件的访问
[英]restricting access to files
问题描述
I'm currently developing a picture-storage on MVC3 and have a question how to restrict access to images. 
我目前正在MVC3上开发图片存储,并且有一个问题如何限制对图像的访问。 If I insert image into HTML lice <img src="/ImagesFolder/image0001.jpg"> it will be shown correctly, but anyone who write full path in browser will get that image too. 如果我将图像插入HTML虱子<img src="/ImagesFolder/image0001.jpg"> ,它将正确显示,但是在浏览器中写完整路径的任何人也将获得该图像。 I don't wand to permit it. 我不愿意允许它。 One way is to embed image as base64 string, but it is suitable only for small images, I have large ones. 一种方法是将图像作为base64字符串嵌入,但仅适用于小图像,我有大图像。
I've seen recommendations to create image-accessing action, and use something like <img src="/GetImage?ID=1123"> , but at that GetImage page I will still use either direct-path or base64 methods? 我看到了创建图像访问操作的建议,并使用了类似<img src="/GetImage?ID=1123"> ,但是在该GetImage页面上,我仍将使用直接路径方法还是base64方法? and in first way full path to imagefile will be translated into parent view and still can be seen in picture properties? 并以第一种方式将imagefile的完整路径转换为父视图,并且仍然可以在图片属性中看到?
Is there a way to use System.Drawing.Image in <img src=""> or any other way? 有没有办法在<img src="">使用System.Drawing.Image或其他任何方式? Do you know any samples? 你知道样品吗?
2 个解决方案
解决方案1
1 已采纳 2013-03-28 08:10:49
One way to do this is put all of the images into a path which is not published by the http server. 一种方法是将所有图像放入http服务器未发布的路径。 This way there is no direct path users can put into the browser. 这样,用户就没有直接路径可以进入浏览器。
Scripts themselves are on the server so they can access this path. 脚本本身在服务器上,因此它们可以访问此路径。 Your image-access method should be a script which returns actual data and identify itself as the data it is serving image/jpeg for jpegs for example. 您的图片访问方法应该是一个脚本,该脚本返回实际数据并将其自身标识为正在为jpeg提供图片/ jpeg的数据。 This way if somebody accesses GetImage method by some other means than the one you have designed the script can detect it (by referer, or other means) and return nothing. 这样,如果有人通过您设计的脚本之外的其他方式访问GetImage方法,则可以(通过引用或其他方式)检测到它,并且不返回任何内容。
解决方案2
0 2013-03-28 08:07:43
I think that the "image-accessing action" solution you mention is the easiest one to implement. 我认为您提到的“图像访问操作”解决方案是最容易实现的解决方案。 The GetImage script could for example check for a cookie that you set in your application, so that only people that have first visited your site can receive the images. 例如,GetImage脚本可以检查您在应用程序中设置的cookie,以便只有第一次访问您网站的人才能接收图像。
Now, if you want to prevent people to display the images by typing the URL in the browser after they visited your site, this is more tricky and in my opinion there isn't an easy solution for that. 现在,如果您想防止人们在访问您的网站后通过在浏览器中键入URL来显示图像,这将变得更加棘手,并且我认为没有一个简单的解决方案。 You might check the Referer HTTP header to see if the request is related to your website (as Referer will be empty when putting the URL into the URL bar, but will contain the URL of the page containing the image when it is included with <img src=...> ), but this solution has a drawback, as it will prevent browsers not sending the Referer header (generally for privacy reasons; it is not a very wide-spread configuration but this happens) from seeing your images at all. 您可能会检查Referer HTTP标头,以查看请求是否与您的网站有关(因为将URL放入URL栏中时Referer将为空,但是当<img src=...>包含该图像时,它将包含页面的URL。 <img src=...> ),但是该解决方案有一个缺点,因为它将阻止浏览器不发送Referer标头(通常出于隐私原因;这不是一个非常广泛的配置,但是会发生这种情况)根本看不到您的图像。 A second possible drawback is that people will probably be able to see the images that are already cached in your browser by typing their URL, unless you can configure the server to serve them with some headers disallowing caching. 第二个可能的缺点是,除非您可以配置服务器为服务器提供一些不允许缓存的标头,否则人们可能会通过输入URL来查看已在浏览器中缓存的图像。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.