473,326 Members | 2,813 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

Protecting image files

I am creating a site that has an "Uploads" directory where users can upload
image files (let's say .jpgs and .gifs). When a user uploads an image, the
system creates a directory within this "Uploads" directory to place their
image in. What I would like to do is protect the ENTIRE uploads directory so
a user cannot navigate directly to http://mysite/uploads/2/img.jpg without
logging into the site first (I'm using forms authentication). I'm trying to
protect the image files using the following in my web.config:

<httpHandlers>
<add verb="*" path="*.jpg" type="System.Web.HttpForbiddenHandler" />
<add verb="*" path="*.gif" type="System.Web.HttpForbiddenHandler" />
</httpHandlers>

but it has no effect. What can I do to accomplish this?

thnx
Nov 18 '05 #1
4 2211
Ryan Moore wrote:
I am creating a site that has an "Uploads" directory where users can upload
image files (let's say .jpgs and .gifs). When a user uploads an image, the
system creates a directory within this "Uploads" directory to place their
image in. What I would like to do is protect the ENTIRE uploads directory so
a user cannot navigate directly to http://mysite/uploads/2/img.jpg without
logging into the site first (I'm using forms authentication). I'm trying to


You have to add the file extensions (or I should say remap them) to the
aspnet dll in IIS. Right now, what's happening is the request for those
is never making it to the ASP.NET process, cuz IIS is handling them
differently. Hence your forms authentication is never checked.

Go into IIS, I believe under the 'Configuration' button on your virtual
directory, and map all extensions you want to protect to the ASP.NET dll
(see the .aspx extension for the value to copy).

--
Craig Deelsnyder
Microsoft MVP - ASP/ASP.NET
Nov 18 '05 #2
Of course, the easiest remedy is to place these files in a folder that is
not exposed to the web server.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.

"Craig Deelsnyder" <cdeelsny@NO_SPAM_4_MEyahoo.com> wrote in message
news:uZ**************@TK2MSFTNGP12.phx.gbl...
Ryan Moore wrote:
I am creating a site that has an "Uploads" directory where users can upload image files (let's say .jpgs and .gifs). When a user uploads an image, the system creates a directory within this "Uploads" directory to place their image in. What I would like to do is protect the ENTIRE uploads directory so a user cannot navigate directly to http://mysite/uploads/2/img.jpg without logging into the site first (I'm using forms authentication). I'm trying
to
You have to add the file extensions (or I should say remap them) to the
aspnet dll in IIS. Right now, what's happening is the request for those
is never making it to the ASP.NET process, cuz IIS is handling them
differently. Hence your forms authentication is never checked.

Go into IIS, I believe under the 'Configuration' button on your virtual
directory, and map all extensions you want to protect to the ASP.NET dll
(see the .aspx extension for the value to copy).

--
Craig Deelsnyder
Microsoft MVP - ASP/ASP.NET

Nov 18 '05 #3
"Ryan Moore" <ry*******@hotmail.com> wrote in message news:<OJ**************@tk2msftngp13.phx.gbl>...
I am creating a site that has an "Uploads" directory where users can upload
image files (let's say .jpgs and .gifs). When a user uploads an image, the
system creates a directory within this "Uploads" directory to place their
image in. What I would like to do is protect the ENTIRE uploads directory so
a user cannot navigate directly to http://mysite/uploads/2/img.jpg without
logging into the site first (I'm using forms authentication). I'm trying to
protect the image files using the following in my web.config:

<httpHandlers>
<add verb="*" path="*.jpg" type="System.Web.HttpForbiddenHandler" />
<add verb="*" path="*.gif" type="System.Web.HttpForbiddenHandler" />
</httpHandlers>

but it has no effect. What can I do to accomplish this?

thnx

I am also trying to create the same idea on my web site that is hosted
by yahoo I cant get started have you any tips for me html with a php
script or all html i would be interested in how you got this far. with
your problem can you not password protect that directory.
Nov 18 '05 #4
Have you added the file extensions .jpg and .gif to be processed by the
ASP.NET ISAPI extension?

In IIS 5.0 you can do this via the "configuration" button under properties
for the virtual directory in question.

Once you do this, you should not need the ForbiddenHandler.

Richard.

"Simon" <de**********@yahoo.com> wrote in message
news:5b**************************@posting.google.c om...
"Ryan Moore" <ry*******@hotmail.com> wrote in message

news:<OJ**************@tk2msftngp13.phx.gbl>...
I am creating a site that has an "Uploads" directory where users can upload image files (let's say .jpgs and .gifs). When a user uploads an image, the system creates a directory within this "Uploads" directory to place their image in. What I would like to do is protect the ENTIRE uploads directory so a user cannot navigate directly to http://mysite/uploads/2/img.jpg without logging into the site first (I'm using forms authentication). I'm trying to protect the image files using the following in my web.config:

<httpHandlers>
<add verb="*" path="*.jpg" type="System.Web.HttpForbiddenHandler" />
<add verb="*" path="*.gif" type="System.Web.HttpForbiddenHandler" />
</httpHandlers>

but it has no effect. What can I do to accomplish this?

thnx

I am also trying to create the same idea on my web site that is hosted
by yahoo I cant get started have you any tips for me html with a php
script or all html i would be interested in how you got this far. with
your problem can you not password protect that directory.

Nov 18 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

12
by: Roland Hall | last post by:
I read Aaron's article: http://www.aspfaq.com/show.asp?id=2276 re: protecting images from linked to by other sites. There is a link at the bottom of that page that references an interesting...
7
by: Ron Gibson | last post by:
Lets say I have a folder members/3/ in this folder are images I have a login page that connects to a database to retrieve user info. After login the user is directed to a page that lists...
5
by: wallacej | last post by:
Hi Is there a way to protect system files, eg .ini files but still allow access to them from C++ code? As an example I have a settings file called SIMS.INI. This file is often accessed...
2
by: Ryan Moore | last post by:
I am creating a site that has an "Uploads" directory where users can upload image files (let's say .jpgs and .gifs). When a user uploads an image, the system creates a directory within this...
4
by: Jean Christophe Avard | last post by:
Hi! I am designing a clipart manager that sells with over 1500+ copyrighted image. I want to protect these image, I read a bit about resource file, would it be the way to go? the image will be about...
8
by: Iain Napier | last post by:
I'm in the middle of developing a website with a downloads section. It's a wad of educational software for an LEA which for obvious reasons needs password protecting. Users have to authenticate...
18
by: UJ | last post by:
Folks, We provide custom content for our customers. Currently we put the files on our server and people have a program we provide that will download the files. These files are usually SWF, HTML or...
22
by: flit | last post by:
Hello All, I have a hard question, every time I look for this answer its get out from the technical domain and goes on in the moral/social domain. First, I live in third world with bad gov., bad...
11
by: sarika | last post by:
Hi all I am making a website related to uploading art pieces. My requirement is to protect art pieces from being saved by any means. I dont want my images to be save in temporary internet...
1
by: =?Utf-8?B?S2xhdXMgSmVuc2Vu?= | last post by:
Hi I have in the past had succes with protecting pdf-files from download by unauthenticated users by adding an application extension in IIS and mapping pdf.files to be served by the...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.