how do I secure images?

I was previously storing my images in a db for security reasons. i am now having to store my images on the file system instead for performance reasons.

i currently have my images folder locked down for only authorized users. however, i do not want authorized users to be able to view ALL images.

for example, user1 is not allowed to see image.jpg. therefore, i want to disallow or redirect if user1 types in a url such as:
www.mysite.com/images/image.jpg

how can i accomplish this? I think I need a way to only allow access to my images folder via my web app only. and not directly from a browser url.

any feedback would be greatly appreciated.
jason

 

Secure images from direct access

I recently converted from storing my images and pdfs in the database to now storing them on the file system. I was previously storing my images and pdfs in a database for security reasons.

I now need to restrict access to images/pdfs on my webserver so the only access is through my web app. Further I have internal user groups setup so only authenticated users can see certain images/pdfs.

For example:
User1 is a allowed to only view images/image1.jpg and images2.jpg
User2 is a allowed to only view images/image1.jpg.

I do NOT want User2 to be able to see any other images by typing into the address bar: mysite.com/images/images2.jpg.

Can someone suggest a method for locking this down. Perhaps there is a way that I can set permissions similar to the App_Data folder so that info cannot be accessed unless via the webapp.

Any suggestions would be greatly appreciated.

Jason

 

Good idea. Thank you.

When I deny read access to restricted folder, I get the following results...

Direct access to image (via browser address bar such as mysite.com/images/image1.jpg):
This returns an error page. Great!

Indirect access (via my aspx/ashx page such as mysite.com/viewImage.aspx):
I am prompted for a password. is there a way that this can be handled in my webconfig?

any help would be greatly appreciated!

 

securing files: solution.

here is a simple solution for securing your images, pdfs, etc.

1. Create a restricted, secure location:
create a subdir under App_Data folder (ie, restricted).
App_Data/restricted
By virtue of App_data, files are not directly accessible via browser. access must be via asp.net.

2. To view file:
a. create aspx file to show file (ie, showFiles.aspx)
Image1.ImageUrl = "videoHandler.ashx";

b. create a file handler (ie, fileHandler.ashx)
dynamically set content type and file path. hardcoded here for simplicity.
context.Response.Clear();
context.Response.AddHeader("Content-Type", "image/jpeg");
context.Response.WriteFile("~/app_data/restricted/test.jpg");

3. To upload file:
just use a fileupload control to your restricted directory.
FileUpload1.SaveAs(Server.MapPath("~/App_Data/") + "restricted/" + FileUpload1.FileName);

 

Thanks for posting your findings.