检查用户是否登录

Question

I have a gridview in which one column contains images. I have used lightbox to zoom the clicked image. But when I right click on the image and select an option "Open link in new tab" then the image gets opened in a new tab. that's not a problem.

After that I press log out button. Now I copy that image link and I paste it on the address bar, the same picture get's opened. I want that first it should be checked whether the user has logged in or not and then open the image if he has logged in otherwise not. All the images of the gridview are stored in a folder named "product images".

I am already checking login status on the page where gridview is used. Tell me what to do.

Answer 1

Your problem is that security trimming is not applied on your images.

Static resources do not follow the same route as an asp.net page so security trimming is not applied on images.

As long as you have a web.config file that do not allow unauthorized users in that images folder, you could handle the problem by setting at web.config => system.webServer => modules

<modules runAllManagedModulesForAllRequests="true">

... but this would mean that all resources would be routed through the asp.net pipeline which would could generate performance issues.

In response to you question (my solution):

I would actually go through another way, which would be a little more difficult, which would be:

• Make the folder product images invisible to any user by using iis Request Filtering (=> Hidden Segments => Disallow access to that folder)
• Then create a custom http handled (.ashx file) in which I would have the image name as a parameter. That handler at ProcessRequest would get the image parameter, open the specific file and stream the data from the image to response.)
• That handled could be easy under security trimming , as long as it goes through ASP.NET pipeline so users not logged in would not have access to the handler. Performance would be some slower but only for those specific images. Also note that you should change any direct calls to the images. For example, if you had src='/product images/imageA.png' , this should change as src='/ImagesHandler.ashx?image=imageA.png' .

After your comment on difficulty and Abhishek Punj answer I would like to mention:

• My solution wouldn't need to register handlers for each file type (what if you add a .jpg file type afterward and haven't registered it?).

• Also, even with Abhishek Punj answer you would still need to stream image data from the image file to response.

• In addition, with my solution, you won't need to custom check for user permissions at ProcessRequest but ASP.NET security trimming would handle it.

• Also, my solutions tries to "protect the folder" where Abhishek Punj tries to "protect the file type globally".

• But most important , Abhishek Punj answer means that ALL IMAGES would go through the ASP.NET pipeline which means that if you had any images at log on form for example, they wont be shown to the user too! After all, if you would hanlde all image file types, then why wouldn't you go with runAllManagedModulesForAllRequests="true", without any coding ?

Answer 2

You can create a new handler and register it in IIS for the type of extension that your image file has. In that handler on begin request you can check if the user is authenticated in using the Principle set by the forms authentication. This would not fire for all the static files and hence would perform better than the solution mentioned by George.

However there is one more problem that you will face.. all the static resources are cached by the browser and hence it might not send in a request to the server at all and just display the image to the user without authentication.

To deal with this problem you will need to set the no-cache header in the response from the custom handler you wrote in the first step so that the browser dosent cache the response and always hits the server to serve the response.

Response.AppendHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
Response.AppendHeader("Pragma", "no-cache"); // HTTP 1.0.
Response.AppendHeader("Expires", "0"); // Proxies.

Hope this gives you the desired direction.

EDIT: Based on points raised by George

runAllManagedModulesForAllRequests="true" will not only be triggered for all images it will also be triggerd for all CSS files, and javascript files as well.. hence increasing the overhead.

If you want to specifically restrict files just in a specific directory a very simple way would be to mention the directory as a key in the config and do a regex comparison to check if the request is required to be authenticated or not.. this can also be extended to cater to various files or directories to be included or restricted with a custom configuration section as per need.

As far as registering the handler for requests with other file extensions is considered its a matter of seconds.. not a painful task.