restricting access to files
Question
I'm currently developing a picture-storage on MVC3 and have a question how to restrict access to images. If I insert image into HTML lice <img src="/ImagesFolder/image0001.jpg"> it will be shown correctly, but anyone who write full path in browser will get that image too. I don't wand to permit it. One way is to embed image as base64 string, but it is suitable only for small images, I have large ones.
I've seen recommendations to create image-accessing action, and use something like <img src="/GetImage?ID=1123"> , but at that GetImage page I will still use either direct-path or base64 methods? and in first way full path to imagefile will be translated into parent view and still can be seen in picture properties?
Is there a way to use System.Drawing.Image in <img src=""> or any other way? Do you know any samples?
2 answers
solution1
1 ACCPTED 2013-03-28 08:10:49
One way to do this is put all of the images into a path which is not published by the http server. This way there is no direct path users can put into the browser.
Scripts themselves are on the server so they can access this path. Your image-access method should be a script which returns actual data and identify itself as the data it is serving image/jpeg for jpegs for example. This way if somebody accesses GetImage method by some other means than the one you have designed the script can detect it (by referer, or other means) and return nothing.
solution2
0 2013-03-28 08:07:43
I think that the "image-accessing action" solution you mention is the easiest one to implement. The GetImage script could for example check for a cookie that you set in your application, so that only people that have first visited your site can receive the images.
Now, if you want to prevent people to display the images by typing the URL in the browser after they visited your site, this is more tricky and in my opinion there isn't an easy solution for that. You might check the Referer HTTP header to see if the request is related to your website (as Referer will be empty when putting the URL into the URL bar, but will contain the URL of the page containing the image when it is included with <img src=...> ), but this solution has a drawback, as it will prevent browsers not sending the Referer header (generally for privacy reasons; it is not a very wide-spread configuration but this happens) from seeing your images at all. A second possible drawback is that people will probably be able to see the images that are already cached in your browser by typing their URL, unless you can configure the server to serve them with some headers disallowing caching.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.