Hi,
NB, not to stop capturing the single displayed Image, but to stop downloading
the entire image directory.
(In my Website you will do a search, and get some thumbnails, and these can be
enlarged one by one).
This topic seems to be frequent.
Some says that you under no circumstances can protect your images, others seem
to have preventing solutions.
Some says that everything uploaded to your web server can be taken down, others
manage to hide files.
As far as I understand so far I have an idea that the following might work.
Please guide me!
My Web provider has given me a space which has a Root folder, and below it is
the WebSiteRoot, which contains my website. The Root folder should not be
available for Web users. There I for instance put my Access DB (accessed through
ODBC). I have FTP access to this space.
So, I would like to put my Image folder in the Root folder, and have my Provider
make it a Virtual Directory in IIS, with an Alias name, and with No Browse
permissons (I hope that does not stop me from seeing it in my FTP program...),
but Write permisson (for me to upload to it), Read permisson (for the Web to get
the images), and with Anonymous Access set off.
Then I can refer to this Virtual Directory from inside my Website, using the
Alias name.
And in IMG SRC you may see the (alias) URL to this Virtual Directory, but an
outside user should not be able to access it.
Could this stop a user from downloading any images from my Image-folder?
Even if they are using some sort of ripoff utility?
(Or should I have to take a step further and ADO stream the image to the
htm-page through an ASP page in order to hide the URL completely?)
(And also, IF the ASP pages are invisible to the browser - could I hide my
images by renaming my .jpg-files to .asp-files? - I mean, the browser gladly
displays the image even if it is called .asp).
Thanks
Larry
11  8849 
LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general: NB, not to stop capturing the single displayed Image, but to stop
downloading the entire image directory.
you can fool some people all the time
you can fool all people some time
but ....
Anything that is downloadable into the browser can be copied.
So keeping ALL directories on your asp site non browsable is imperative but
finally security wise useless. Only image files you do not download and
give a unguessable name are relatively safe. However, what is the use
having those on site anyway?
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
On 04 Aug 2003 17:02:23 GMT, "Evertjan." <ex**************@interxnl.net> wrote: LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general: NB, not to stop capturing the single displayed Image, but to stop
downloading the entire image directory.
Anything that is downloadable into the browser can be copied.
I don't contradict that..
Maybe I was unclear.
The question is if an imagefile displayed in this way is downloadable directly
from the directory?
Larry
LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general: On 04 Aug 2003 17:02:23 GMT, "Evertjan."
<ex**************@interxnl.net> wrote:
LarryM wrote on 04 aug 2003 in
microsoft.public.inetserver.asp.general: NB, not to stop capturing the single displayed Image, but to stop
downloading the entire image directory.
Anything that is downloadable into the browser can be copied.
I don't contradict that..
Maybe I was unclear.
The question is if an imagefile displayed in this way is downloadable
directly from the directory?
Yes, if you know it's name.
You could hinder that by using an .asp intermediate file that looks at the
referrer name, but once displayed in a browser, it has a copy in the
clients tempfiles.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
On 04 Aug 2003 19:44:59 GMT, "Evertjan." <ex**************@interxnl.net> wrote: LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:
On 04 Aug 2003 17:02:23 GMT, "Evertjan."
<ex**************@interxnl.net> wrote:
LarryM wrote on 04 aug 2003 in
microsoft.public.inetserver.asp.general:
NB, not to stop capturing the single displayed Image, but to stop
downloading the entire image directory.
Anything that is downloadable into the browser can be copied.
I don't contradict that..
Maybe I was unclear.
The question is if an imagefile displayed in this way is downloadable
directly from the directory?
Yes, if you know it's name.
Is then also ANY virtual directory (outside the default website) or ANY
directory on the Server Computer open for any user as long as you know or can
guess it's name (and put in an URL)?
Is it just a matter of guessing any directory and filename on a server, and then
you can download it??
You could hinder that by using an .asp intermediate file that looks at the
referrer name, but once displayed in a browser, it has a copy in the
clients tempfiles.
I say it again: This is not about stopping the image once it has been displayed
in the browser, not much you can do about that!
It is about stoppping bulk download of the entire image directory!
So you mean that I have no other option then to go the step which I also
mentioned: ADO stream the imagefile through an asp-file?
/Larry
LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general: Yes, if you know it's name.
Is then also ANY virtual directory (outside the default website) or
ANY directory on the Server Computer open for any user as long as you
know or can guess it's name (and put in an URL)?
Is it just a matter of guessing any directory and filename on a
server, and then you can download it??
You could hinder that by using an .asp intermediate file that looks at
the referrer name, but once displayed in a browser, it has a copy in
the clients tempfiles.
I say it again: This is not about stopping the image once it has been
displayed in the browser, not much you can do about that!
It is about stoppping bulk download of the entire image directory!
So you mean that I have no other option then to go the step which I
also mentioned: ADO stream the imagefile through an asp-file?
Well, in my rented virtual machine, the cgi-bin is not accessable for
nonexecutables from outer space. so a directory /cgi-bin/images/ is only
accessable though ADO or scripting-host. The same is true for any normal
webside directory, where you can keep the name of secret, as long as you
have http-directory browsing off.
So /images/secretpathqwerty6284675/myimg.jpg is secret as long as you do
not point to it in any clientside script, but use myimg.asp to fetch it.
In myimg.asp I would put something like this:
<%
If request.servervariables("http_referrer")
<>"http://mysite.org/index.asp" Then response.end
Set fs = server.CreateObject ("Scripting.Filesystemobject")
Set pt = Server.MapPath("/images/secretpathqwerty6284675/")
etc.
%>
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
On 04 Aug 2003 22:15:51 GMT, "Evertjan." <ex**************@interxnl.net> wrote: LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:Yes, if you know it's name.
Is then also ANY virtual directory (outside the default website) or
ANY directory on the Server Computer open for any user as long as you
know or can guess it's name (and put in an URL)?
Is it just a matter of guessing any directory and filename on a
server, and then you can download it??
You could hinder that by using an .asp intermediate file that looks at
the referrer name, but once displayed in a browser, it has a copy in
the clients tempfiles.
I say it again: This is not about stopping the image once it has been
displayed in the browser, not much you can do about that!
It is about stoppping bulk download of the entire image directory!
So you mean that I have no other option then to go the step which I
also mentioned: ADO stream the imagefile through an asp-file?
Well, in my rented virtual machine, the cgi-bin is not accessable for
nonexecutables from outer space. so a directory /cgi-bin/images/ is only
accessable though ADO or scripting-host. The same is true for any normal
webside directory, where you can keep the name of secret, as long as you
have http-directory browsing off.
So /images/secretpathqwerty6284675/myimg.jpg is secret as long as you do
not point to it in any clientside script, but use myimg.asp to fetch it.
In myimg.asp I would put something like this:
<%
If request.servervariables("http_referrer")
<>"http://mysite.org/index.asp" Then response.end
Set fs = server.CreateObject ("Scripting.Filesystemobject")
Set pt = Server.MapPath("/images/secretpathqwerty6284675/")
etc.
%>
Thanks Evertjan!
Have I got this right:
If somebody CAN guess that you have a directory
"/images/secretpathqwerty6284675/", is it then open for access
for this person, no matter where the directory is situated?
(I am thinking of outside or inside 'the default webside').
Is it just a matter of knowing the name of the directory to get access to it?
I am glad that you can bear with my questions, it seems to take a long time for
me to understand the systems..
/Larry
Larry,
The only way that images can be downloaded (bulk or otherwise) is if the
downloader knows the URL to each image. Since you have disabled "browse" in
IIS for that directory there is no way for a download program to reliably
determine the URLs unless you have links to them embedded in a page that the
program could parse to get the paths.
--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider ms*****@ielearning.com http://www.ielearning.com
714.637.9480 x17
"LarryM" <lm****@telia.com> wrote in message
news:4m********************************@4ax.com... On 04 Aug 2003 19:44:59 GMT, "Evertjan." <ex**************@interxnl.net>
wrote:LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:
On 04 Aug 2003 17:02:23 GMT, "Evertjan."
<ex**************@interxnl.net> wrote:
LarryM wrote on 04 aug 2003 in
microsoft.public.inetserver.asp.general:
> NB, not to stop capturing the single displayed Image, but to stop
> downloading the entire image directory.
Anything that is downloadable into the browser can be copied.
I don't contradict that..
Maybe I was unclear.
The question is if an imagefile displayed in this way is downloadable
directly from the directory?
Yes, if you know it's name.
Is then also ANY virtual directory (outside the default website) or ANY
directory on the Server Computer open for any user as long as you know or
can guess it's name (and put in an URL)?
Is it just a matter of guessing any directory and filename on a server,
and then you can download it??
You could hinder that by using an .asp intermediate file that looks at
thereferrer name, but once displayed in a browser, it has a copy in the
clients tempfiles.
I say it again: This is not about stopping the image once it has been
displayed in the browser, not much you can do about that!
It is about stoppping bulk download of the entire image directory!
So you mean that I have no other option then to go the step which I also
mentioned: ADO stream the imagefile through an asp-file?
/Larry
I'm jumping in a little late, but try to think of it this way..
A user requests a page, they get the page.
On the page are links to images <img src="thefolder\thefile.jpg">
The browser then requests those files.
So, if your images are named in a manner that is easy to figure out (such as
numerically 1.jpg, 2.jpg etc, or alphabetically a.jpg, b.jpg) then it's hard
to prevent someone from writing a script to grab all of them.
To prevent a bulk download script, you can give them hard to guess names
such as "ThePictureOfBobWearingAFunnyHat.jpg" or you can use the ADO stream
method you mentioned.
The Toronto Sunshine Girl page www.canoe.ca/TorontoSunshine only shows the
Sunshine Girl of the day, however; they store each picture as ssg.jpg in a
subdirectory of the days date (eg .Aug8/ssg.jpg ) so it didn't take long to
write a script that produces....
<img src="Aug8/ssg.jpg">
<img src="Aug7/ssg.jpg">
If they had named them individually, such as JaneDoe.jpg, it would have been
"impossible" to script that.
"LarryM" <lm****@telia.com> wrote in message
news:ae********************************@4ax.com... Hi,
NB, not to stop capturing the single displayed Image, but to stop
downloading the entire image directory.
(In my Website you will do a search, and get some thumbnails, and these
can be enlarged one by one).
This topic seems to be frequent.
Some says that you under no circumstances can protect your images, others
seem to have preventing solutions.
Some says that everything uploaded to your web server can be taken down,
others manage to hide files.
As far as I understand so far I have an idea that the following might
work. Please guide me!
My Web provider has given me a space which has a Root folder, and below it
is the WebSiteRoot, which contains my website. The Root folder should not be
available for Web users. There I for instance put my Access DB (accessed
through ODBC). I have FTP access to this space.
So, I would like to put my Image folder in the Root folder, and have my
Provider make it a Virtual Directory in IIS, with an Alias name, and with No Browse
permissons (I hope that does not stop me from seeing it in my FTP
program...), but Write permisson (for me to upload to it), Read permisson (for the Web
to get the images), and with Anonymous Access set off.
Then I can refer to this Virtual Directory from inside my Website, using
the Alias name.
And in IMG SRC you may see the (alias) URL to this Virtual Directory, but
an outside user should not be able to access it.
Could this stop a user from downloading any images from my Image-folder?
Even if they are using some sort of ripoff utility?
(Or should I have to take a step further and ADO stream the image to the
htm-page through an ASP page in order to hide the URL completely?)
(And also, IF the ASP pages are invisible to the browser - could I hide my
images by renaming my .jpg-files to .asp-files? - I mean, the browser
gladly displays the image even if it is called .asp).
Thanks
Larry
Why not protect the image folder by referrer, only allowing access from
approved pages within your website ?
That will solve some of your headaches.
Are these images only available to members (password protected) ?
You can either hand code this, or use AuthentiX. http://www.flicks.com
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it! This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: benjamin |
last post by:
A pygame/python game resource question
######################################
I wander whether there is any possibility to compile a bunch of
resources for a program, like images and soundfiles...
|
by: IkBenHet |
last post by:
Hello,
I use this script to upload image files to a folder on a IIS6 server:
******************* START UPLOAD.ASPX FILE **********************
<%@ Page Language="VB" Debug="true" %>
|
by: Bill |
last post by:
Anyone have any success in using global.asax to protect images in a folder from being
linked to by external websites?
I'd tried to use global.asa in the past, with no success. Any help would be...
|
by: Garry Jones |
last post by:
I need to create a page with a password where I show photos. How do I stop
people from accessing the jpgs directly without going through the password
function.
I am using Windows XP and have a...
|
by: Wayne Smith |
last post by:
I've come up against a major headache that I can't seem to find a solution
for but I'm sure there must be a workaround and I would really be grateful
of any help.
I'm currently building a web...
|
by: John Kotuby |
last post by:
Hi all,
Maybe this is a simple problem found in ASP.NET 2.0 course 101, but I must
have missed it. When I create a page in Visual Web Developer and use URLs
like "/images/picture.gif " or a link...
|
by: =?Utf-8?B?TWlrZQ==?= |
last post by:
Hi. I have an ASP.NET 2.0 web application which contains an Images directory
with all website images. How can I prevent other websites from creating img
tags with the source as my images? I want...
|
by: paitoon |
last post by:
Helle
I have problem about .htaccess in my site. My purpose is i want to protect a folder name's IMAGES in my site then i put .htaccess into that folder. But instead of the IMAGES folder will...
|
by: JOHNSHELL08 |
last post by:
Dear sir,
Please tell me the way to protect folder in usb drive and this will be always protect on every pc. what is the method or it is done by any software ? so please give the...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |
