How can I deny all users directly access image files from images folder?

You cannot. At least you cannot by using a standard mechanism.

If you want to do such a thing, you have to develop a component that
displays the images by requesting them with an identity that has access
to the image folder and then restrict access to all users. Eitherway,
it's not a configuration or trivial task.

A good idea would be to scramble the names of the images so the users
cannot guess the imagefilenames.

> How can I deny all users directly access image files from images folder?
Into the 'application settings' (IIS manager properties) you may add the picture
extensions to the list of files parsed by the Dotnet engine..

Example:
add the executable 'C:\WINNT\Micro soft.NET\Framew ork\v1.1.4322\a spnet_isapi.dll '
to the extension '.jpg'
verbs: 'GET'

Then, you may code any business rule into your global.asax::Ap plication_Begin Request
method:

string extension = MyUtils.GetExte nsion(Request.U rl.toString());
string referrer = Request.UrlRefe rrer;
if(extension.Eq uals("jpg") && (!MyUtils.IsRef errerValid(refe rrer))
{
Response.Write( "direct access denied.");
Response.End();
}
Antonio Fontes
http://www.futureblogs.net/antonio

I forgot to say that this method also can be a good practice to
manage a deep bandwidth usage control for example when
a certain amount per client is allowed:

global.asax::Ap plication_Begin Request()
{
// example url: http://mydomain.com/uploads/1289473/pics/mypic.jpg
string url = Request.Url.ToS tring();
string filePath = Server.MapPath( MyUtils.ParseUr lPath(url));
long clientRef = MyUtils.ParseCl ientRef(url);

// get file length
int fileSize = new FileInfo(filePa th).Length;

// add to bandwith usage
CustomerUtils.I ncrementBandwit thUsage(clientR ef, fileSize);
}

Antonio
http://www.futureblogs.net/antonio

And how he is going to display this images to his site ? I thought that
he want to prohibit DIRECT access to the img folder

> And how he is going to display this images to his site ? I thought that

he want to prohibit DIRECT access to the img folder

The beginrequest event is triggered before delivering the resource.
If you read the first code example I've posted, there's a check on
the referrer validity: MyUtils.IsRefer rerValid(referr er).

If the referrer is valid, then there's nothing to do... just let the request
processing go on.

Antonio Fontes
http://www.futureblogs.net/antonio

re:

MyUtils.IsRefer rerValid(referr er)

Is that a class you wrote, Antonio ?

Juan T. Llibre, ASP.NET MVP
ASP.NET FAQ : http://asp.net.do/faq/
Foros de ASP.NET en Español : http://asp.net.do/foros/
=============== =============== ========
"AF" <nX************ @nXxtg.XnetX> wrote in message
news:OY******** ******@TK2MSFTN GP09.phx.gbl...

And how he is going to display this images to his site ? I thought that
he want to prohibit DIRECT access to the img folder

The beginrequest event is triggered before delivering the resource.
If you read the first code example I've posted, there's a check on
the referrer validity: MyUtils.IsRefer rerValid(referr er).

If the referrer is valid, then there's nothing to do... just let the request
processing go on.

Antonio Fontes
http://www.futureblogs.net/antonio

> > MyUtils.IsRefer rerValid(referr er)

Is that a class you wrote, Antonio ?

This is what I would write. I haven't coded it, it was just needed
to give some example to my answer.
But that could look like:
---------------------------------------------------
IsReferrerValid (string aReferrer)
{
HttpContext ctx = HttpContext.Cur rent;
if(ctx == null)
return false;

string validDomain = MyUtils.GetSett ingsFromWebConf ig("mydomain") ;
string currentDomain = ctx.Request.Url .Host;
if(currentDomai n.Equals(validD omain))
return true;
else
return false;
}
---------------------------------------------------

The valid domains list could be a single item in web.config, or an
arraylist retrieved from a database or whatsoever.
Antonio Fontes
http://www.futureblogs.net/antonio