All geek questions in one place

Asp.net protected images from static requests from other users?

I work on a site that generates dynamic images for each specific user. Sometimes these images contain images of very sensitive data. Recently, we began to see requests for images belonging to another user in the form

http: //myapp/images/someuid/image1.jpg

obviously, someone realized that they could access other user images if they created the correct URL. we save images in the file system to reduce bandwidth.

  • How can we protect this - some kind of http handler?

  • Is there a way to service an image to use o -f caching without having to write it to the file system and let IIS do the dirty work?

+3
source share
3 answers

Use .ashx: -

TimeSpan maxAge = new TimeSpan(0, 15, 0); //!5 minute lifetiem.

context.Response.ContentType = "image/gif";
context.Response.Cache.SetCacheability(HttpCacheability.Private);
context.Response.Cache.SetExpires(DateTime.UtcNow.Add(maxAge));
context.Response.Cache.SetMaxAge(maxAge);
context.Response.Cache.SetLastModified(lastModified); // last modified date time of file
context.Response.WriteFile(filenameofGif);

You can enable what you have ever checked for the code necessary to ensure that users have the correct access to the image.

+5
source

I think the best option would be to prohibit direct access to images from the Internet and create an aspx that will check user rights and return the correct image.

+1
source

, , web.config (, someuid) - (deny = "*" ), (allow = "john" ).

, . , 401 , imagenotfound.gif.

However, I am afraid that the handler will generate a lot of traffic, since there will be one call per image, I do not know how many images you display per user.

+1
source

Source: https://habr.com/ru/post/1703806/

More articles:


All Articles