By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,649 Members | 2,154 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,649 IT Pros & Developers. It's quick & easy.

How to protect your Images folder?

P: n/a
Hi,

NB, not to stop capturing the single displayed Image, but to stop downloading
the entire image directory.
(In my Website you will do a search, and get some thumbnails, and these can be
enlarged one by one).

This topic seems to be frequent.
Some says that you under no circumstances can protect your images, others seem
to have preventing solutions.
Some says that everything uploaded to your web server can be taken down, others
manage to hide files.

As far as I understand so far I have an idea that the following might work.
Please guide me!

My Web provider has given me a space which has a Root folder, and below it is
the WebSiteRoot, which contains my website. The Root folder should not be
available for Web users. There I for instance put my Access DB (accessed through
ODBC). I have FTP access to this space.

So, I would like to put my Image folder in the Root folder, and have my Provider
make it a Virtual Directory in IIS, with an Alias name, and with No Browse
permissons (I hope that does not stop me from seeing it in my FTP program...),
but Write permisson (for me to upload to it), Read permisson (for the Web to get
the images), and with Anonymous Access set off.

Then I can refer to this Virtual Directory from inside my Website, using the
Alias name.
And in IMG SRC you may see the (alias) URL to this Virtual Directory, but an
outside user should not be able to access it.

Could this stop a user from downloading any images from my Image-folder?
Even if they are using some sort of ripoff utility?

(Or should I have to take a step further and ADO stream the image to the
htm-page through an ASP page in order to hide the URL completely?)

(And also, IF the ASP pages are invisible to the browser - could I hide my
images by renaming my .jpg-files to .asp-files? - I mean, the browser gladly
displays the image even if it is called .asp).

Thanks
Larry

Jul 19 '05 #1
Share this Question
Share on Google+
11 Replies


P: n/a
LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:
NB, not to stop capturing the single displayed Image, but to stop
downloading the entire image directory.


you can fool some people all the time
you can fool all people some time
but ....

Anything that is downloadable into the browser can be copied.

So keeping ALL directories on your asp site non browsable is imperative but
finally security wise useless. Only image files you do not download and
give a unguessable name are relatively safe. However, what is the use
having those on site anyway?
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Jul 19 '05 #2

P: n/a
On 04 Aug 2003 17:02:23 GMT, "Evertjan." <ex**************@interxnl.net> wrote:
LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:
NB, not to stop capturing the single displayed Image, but to stop
downloading the entire image directory.


Anything that is downloadable into the browser can be copied.

I don't contradict that..

Maybe I was unclear.
The question is if an imagefile displayed in this way is downloadable directly
from the directory?

Larry

Jul 19 '05 #3

P: n/a
LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:
On 04 Aug 2003 17:02:23 GMT, "Evertjan."
<ex**************@interxnl.net> wrote:
LarryM wrote on 04 aug 2003 in
microsoft.public.inetserver.asp.general:
NB, not to stop capturing the single displayed Image, but to stop
downloading the entire image directory.


Anything that is downloadable into the browser can be copied.

I don't contradict that..

Maybe I was unclear.
The question is if an imagefile displayed in this way is downloadable
directly from the directory?


Yes, if you know it's name.

You could hinder that by using an .asp intermediate file that looks at the
referrer name, but once displayed in a browser, it has a copy in the
clients tempfiles.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Jul 19 '05 #4

P: n/a
On 04 Aug 2003 19:44:59 GMT, "Evertjan." <ex**************@interxnl.net> wrote:
LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:
On 04 Aug 2003 17:02:23 GMT, "Evertjan."
<ex**************@interxnl.net> wrote:
LarryM wrote on 04 aug 2003 in
microsoft.public.inetserver.asp.general:
NB, not to stop capturing the single displayed Image, but to stop
downloading the entire image directory.

Anything that is downloadable into the browser can be copied.

I don't contradict that..

Maybe I was unclear.
The question is if an imagefile displayed in this way is downloadable
directly from the directory?


Yes, if you know it's name.

Is then also ANY virtual directory (outside the default website) or ANY
directory on the Server Computer open for any user as long as you know or can
guess it's name (and put in an URL)?
Is it just a matter of guessing any directory and filename on a server, and then
you can download it??
You could hinder that by using an .asp intermediate file that looks at the
referrer name, but once displayed in a browser, it has a copy in the
clients tempfiles.


I say it again: This is not about stopping the image once it has been displayed
in the browser, not much you can do about that!
It is about stoppping bulk download of the entire image directory!

So you mean that I have no other option then to go the step which I also
mentioned: ADO stream the imagefile through an asp-file?

/Larry
Jul 19 '05 #5

P: n/a
LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:
Yes, if you know it's name.

Is then also ANY virtual directory (outside the default website) or
ANY directory on the Server Computer open for any user as long as you
know or can guess it's name (and put in an URL)?
Is it just a matter of guessing any directory and filename on a
server, and then you can download it??
You could hinder that by using an .asp intermediate file that looks at
the referrer name, but once displayed in a browser, it has a copy in
the clients tempfiles.


I say it again: This is not about stopping the image once it has been
displayed in the browser, not much you can do about that!
It is about stoppping bulk download of the entire image directory!

So you mean that I have no other option then to go the step which I
also mentioned: ADO stream the imagefile through an asp-file?


Well, in my rented virtual machine, the cgi-bin is not accessable for
nonexecutables from outer space. so a directory /cgi-bin/images/ is only
accessable though ADO or scripting-host. The same is true for any normal
webside directory, where you can keep the name of secret, as long as you
have http-directory browsing off.

So /images/secretpathqwerty6284675/myimg.jpg is secret as long as you do
not point to it in any clientside script, but use myimg.asp to fetch it.

In myimg.asp I would put something like this:

<%
If request.servervariables("http_referrer")
<>"http://mysite.org/index.asp" Then response.end

Set fs = server.CreateObject ("Scripting.Filesystemobject")
Set pt = Server.MapPath("/images/secretpathqwerty6284675/")
etc.
%>
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Jul 19 '05 #6

P: n/a
On 04 Aug 2003 22:15:51 GMT, "Evertjan." <ex**************@interxnl.net> wrote:
LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:
Yes, if you know it's name.

Is then also ANY virtual directory (outside the default website) or
ANY directory on the Server Computer open for any user as long as you
know or can guess it's name (and put in an URL)?
Is it just a matter of guessing any directory and filename on a
server, and then you can download it??
You could hinder that by using an .asp intermediate file that looks at
the referrer name, but once displayed in a browser, it has a copy in
the clients tempfiles.


I say it again: This is not about stopping the image once it has been
displayed in the browser, not much you can do about that!
It is about stoppping bulk download of the entire image directory!

So you mean that I have no other option then to go the step which I
also mentioned: ADO stream the imagefile through an asp-file?


Well, in my rented virtual machine, the cgi-bin is not accessable for
nonexecutables from outer space. so a directory /cgi-bin/images/ is only
accessable though ADO or scripting-host. The same is true for any normal
webside directory, where you can keep the name of secret, as long as you
have http-directory browsing off.

So /images/secretpathqwerty6284675/myimg.jpg is secret as long as you do
not point to it in any clientside script, but use myimg.asp to fetch it.

In myimg.asp I would put something like this:

<%
If request.servervariables("http_referrer")
<>"http://mysite.org/index.asp" Then response.end

Set fs = server.CreateObject ("Scripting.Filesystemobject")
Set pt = Server.MapPath("/images/secretpathqwerty6284675/")
etc.
%>


Thanks Evertjan!
Have I got this right:
If somebody CAN guess that you have a directory
"/images/secretpathqwerty6284675/", is it then open for access
for this person, no matter where the directory is situated?
(I am thinking of outside or inside 'the default webside').
Is it just a matter of knowing the name of the directory to get access to it?

I am glad that you can bear with my questions, it seems to take a long time for
me to understand the systems..
/Larry

Jul 19 '05 #7

P: n/a
Larry,

The only way that images can be downloaded (bulk or otherwise) is if the
downloader knows the URL to each image. Since you have disabled "browse" in
IIS for that directory there is no way for a download program to reliably
determine the URLs unless you have links to them embedded in a page that the
program could parse to get the paths.

--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
ms*****@ielearning.com
http://www.ielearning.com
714.637.9480 x17
"LarryM" <lm****@telia.com> wrote in message
news:4m********************************@4ax.com...
On 04 Aug 2003 19:44:59 GMT, "Evertjan." <ex**************@interxnl.net> wrote:
LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:
On 04 Aug 2003 17:02:23 GMT, "Evertjan."
<ex**************@interxnl.net> wrote:

LarryM wrote on 04 aug 2003 in
microsoft.public.inetserver.asp.general:
> NB, not to stop capturing the single displayed Image, but to stop
> downloading the entire image directory.

Anything that is downloadable into the browser can be copied.

I don't contradict that..

Maybe I was unclear.
The question is if an imagefile displayed in this way is downloadable
directly from the directory?
Yes, if you know it's name.

Is then also ANY virtual directory (outside the default website) or ANY
directory on the Server Computer open for any user as long as you know or

can guess it's name (and put in an URL)?
Is it just a matter of guessing any directory and filename on a server, and then you can download it??
You could hinder that by using an .asp intermediate file that looks at thereferrer name, but once displayed in a browser, it has a copy in the
clients tempfiles.
I say it again: This is not about stopping the image once it has been

displayed in the browser, not much you can do about that!
It is about stoppping bulk download of the entire image directory!

So you mean that I have no other option then to go the step which I also
mentioned: ADO stream the imagefile through an asp-file?

/Larry

Jul 19 '05 #8

P: n/a
Serving Dynamic Images from Static Web Pages - 5/24/2000
http://www.4guysfromrolla.com/webtech/052400-1.shtml

Best regards,
J. Paul Schmidt, Freelance ASP Web Developer
http://www.Bullschmidt.com
ASP Design Tips, ASP Web Database Demo, Free ASP Bar Chart Tool...
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Jul 19 '05 #9

P: n/a
thanks, all ..
/Larry

Jul 19 '05 #10

P: n/a
I'm jumping in a little late, but try to think of it this way..
A user requests a page, they get the page.
On the page are links to images <img src="thefolder\thefile.jpg">
The browser then requests those files.

So, if your images are named in a manner that is easy to figure out (such as
numerically 1.jpg, 2.jpg etc, or alphabetically a.jpg, b.jpg) then it's hard
to prevent someone from writing a script to grab all of them.

To prevent a bulk download script, you can give them hard to guess names
such as "ThePictureOfBobWearingAFunnyHat.jpg" or you can use the ADO stream
method you mentioned.

The Toronto Sunshine Girl page www.canoe.ca/TorontoSunshine only shows the
Sunshine Girl of the day, however; they store each picture as ssg.jpg in a
subdirectory of the days date (eg .Aug8/ssg.jpg ) so it didn't take long to
write a script that produces....
<img src="Aug8/ssg.jpg">
<img src="Aug7/ssg.jpg">
If they had named them individually, such as JaneDoe.jpg, it would have been
"impossible" to script that.

"LarryM" <lm****@telia.com> wrote in message
news:ae********************************@4ax.com...
Hi,

NB, not to stop capturing the single displayed Image, but to stop downloading the entire image directory.
(In my Website you will do a search, and get some thumbnails, and these can be enlarged one by one).

This topic seems to be frequent.
Some says that you under no circumstances can protect your images, others seem to have preventing solutions.
Some says that everything uploaded to your web server can be taken down, others manage to hide files.

As far as I understand so far I have an idea that the following might work. Please guide me!

My Web provider has given me a space which has a Root folder, and below it is the WebSiteRoot, which contains my website. The Root folder should not be
available for Web users. There I for instance put my Access DB (accessed through ODBC). I have FTP access to this space.

So, I would like to put my Image folder in the Root folder, and have my Provider make it a Virtual Directory in IIS, with an Alias name, and with No Browse
permissons (I hope that does not stop me from seeing it in my FTP program...), but Write permisson (for me to upload to it), Read permisson (for the Web to get the images), and with Anonymous Access set off.

Then I can refer to this Virtual Directory from inside my Website, using the Alias name.
And in IMG SRC you may see the (alias) URL to this Virtual Directory, but an outside user should not be able to access it.

Could this stop a user from downloading any images from my Image-folder?
Even if they are using some sort of ripoff utility?

(Or should I have to take a step further and ADO stream the image to the
htm-page through an ASP page in order to hide the URL completely?)

(And also, IF the ASP pages are invisible to the browser - could I hide my
images by renaming my .jpg-files to .asp-files? - I mean, the browser gladly displays the image even if it is called .asp).

Thanks
Larry

Jul 19 '05 #11

P: n/a


Why not protect the image folder by referrer, only allowing access from
approved pages within your website ?

That will solve some of your headaches.

Are these images only available to members (password protected) ?

You can either hand code this, or use AuthentiX.
http://www.flicks.com

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Jul 19 '05 #12

This discussion thread is closed

Replies have been disabled for this discussion.