asp.net protect images using custom httphandlers

Question

i want to protect the images in my webpage.

i want to show the images but the user wants to download or save the image, the image should not save to his local hard drive.

i wrote the custom handler to restrict access to download the images, but this handler is restricting the images to display also.

my code is

public class MyFileHandler : IHttpHandler
{

    public void ProcessRequest(HttpContext context)
    {
       context.Response.ContentType = "image/Jpeg";
       context.Response.Write("you dont have access");
    }

    public bool IsReusable
    {
        get
        {
            return false;
        }
    }
}

in web.config

<configuration>
  <system.web>
    <compilation debug="true" targetFramework="4.0"/>
    <httpHandlers>
      <add verb="*" path="*.jpg" validate="true" type="MyFileHandler"/>
    </httpHandlers>
  </system.web>
</configuration>

is there any solution to show image in web page but not save or download the image.

Answer 1

In short, no. What you serve to the client browser, is on the client machine, and can be saved. It probably will be saved in the cache. No matter wether you serve the image directly or via a handler, it's the same from the browser's point of view.

If you don't want somebody to be able to save an image to the hard-drive, don't put that image online.

Answer 2

One thing I can think of is to assign a token to the image and let the expiration value to be very short like in minutes. For example, in azure storage account, one can create a private container and use SAS token to display image on client side. But as said by others, there is no way of stopping users from downloading the image.

        [HttpGet("SasExample")]
        public async Task<IActionResult> SasExample()
        {
            string connectionString = "your-container-connection-string";
            BlobServiceClient blobServiceClient = new BlobServiceClient(connectionString);
            var sourceContainer = blobServiceClient.GetBlobContainerClient("container-name");
            await sourceContainer.CreateIfNotExistsAsync();

            BlobClient blob = sourceContainer.GetBlobClient("file-name");
            var res = GetServiceSasUriForBlob(blob, null);

            return Ok(res.AbsoluteUri);
        }



private static Uri GetServiceSasUriForBlob(BlobClient blobClient, string storedPolicyName = null)
        {
            // Check whether this BlobClient object has been authorized with Shared Key.
            if (blobClient.CanGenerateSasUri)
            {
                // Create a SAS token that's valid for one hour.
                BlobSasBuilder sasBuilder = new BlobSasBuilder()
                {
                    BlobContainerName = blobClient.GetParentBlobContainerClient().Name,
                    BlobName = blobClient.Name,
                    Resource = "b" //b for blob //c for container
                };

                if (storedPolicyName == null)
                {
                    sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1);
                    sasBuilder.SetPermissions(BlobSasPermissions.Read |
                        BlobSasPermissions.Write);
                }
                else
                {
                    sasBuilder.Identifier = storedPolicyName;
                }

                Uri sasUri = blobClient.GenerateSasUri(sasBuilder);
                Console.WriteLine("SAS URI for blob is: {0}", sasUri);
                Console.WriteLine();

                return sasUri;
            }
            else
            {
                Console.WriteLine(@"BlobClient must be authorized with Shared Key 
                          credentials to create a service SAS.");
                return null;
            }
        }