Protect an Image File in ASP.NET Web Project?

Unless its a password protected site, you can only really just check your
logs to see if anyone is doing that and block them if they are. I

Regards

John Timney (MVP)
http://www.johntimney.com
http://www.johntimney.com/blog
"Mike" <Mi**@discussions.microsoft.comwrote in message
news:AC**********************************@microsof t.com...

Hi. I have an ASP.NET 2.0 web application which contains an Images
directory
with all website images. How can I prevent other websites from creating
img
tags with the source as my images? I want to prevent other websites from
serving my image.

For example - How can I prevent another website from doing this?
<img src="http://mywebsitename/images/image1.jpg"

Is this possible? Thanks

Place the files in a different directory and serve them up with an aspx
page. Have the aspx page
Check the Request.UrlReferrer prior to serving them up.

You could also use a 404 error handler so that they look like they are
still gifs, but because you are calling them from a directory different
then they are really in, the 404 handler will kick in and serve up the
file for you.
Dave Bush
http://blog.dmbcllc.com

-----Original Message-----
From: Mike [mailto:Mi**@discussions.microsoft.com]
Posted At: Wednesday, November 28, 2007 9:44 AM
Posted To: microsoft.public.dotnet.framework.aspnet
Conversation: Protect an Image File in ASP.NET Web Project?
Subject: Protect an Image File in ASP.NET Web Project?

Hi. I have an ASP.NET 2.0 web application which contains an Images
directory
with all website images. How can I prevent other websites from creating
img
tags with the source as my images? I want to prevent other websites from
serving my image.

For example - How can I prevent another website from doing this?
<img src="http://mywebsitename/images/image1.jpg"

Is this possible? Thanks

Dave - You mention serving them up on an aspx page. What exactly does that
mean or how would I do that? I understand how to check the
request.urlreferrer, I'm just unfamiliar w/serving an image on an aspx page.

Thanks.

"Dave Bush" wrote:

Place the files in a different directory and serve them up with an aspx
page. Have the aspx page
Check the Request.UrlReferrer prior to serving them up.

You could also use a 404 error handler so that they look like they are
still gifs, but because you are calling them from a directory different
then they are really in, the 404 handler will kick in and serve up the
file for you.
Dave Bush
http://blog.dmbcllc.com

-----Original Message-----
From: Mike [mailto:Mi**@discussions.microsoft.com]
Posted At: Wednesday, November 28, 2007 9:44 AM
Posted To: microsoft.public.dotnet.framework.aspnet
Conversation: Protect an Image File in ASP.NET Web Project?
Subject: Protect an Image File in ASP.NET Web Project?

Hi. I have an ASP.NET 2.0 web application which contains an Images
directory
with all website images. How can I prevent other websites from creating
img
tags with the source as my images? I want to prevent other websites from
serving my image.

For example - How can I prevent another website from doing this?
<img src="http://mywebsitename/images/image1.jpg"

Is this possible? Thanks

private void Page_Load(object sender, System.EventArgs e)
{
Response.ClearContent();
Response.ClearHeaders();
Response.ContentType = image mime type here;
Response.WriteFile(filename);
Response.End();
}

-----Original Message-----
From: Mike [mailto:Mi**@discussions.microsoft.com]
Posted At: Wednesday, November 28, 2007 10:35 AM
Posted To: microsoft.public.dotnet.framework.aspnet
Conversation: Protect an Image File in ASP.NET Web Project?
Subject: Re: Protect an Image File in ASP.NET Web Project?

Dave - You mention serving them up on an aspx page. What exactly does
that
mean or how would I do that? I understand how to check the
request.urlreferrer, I'm just unfamiliar w/serving an image on an aspx
page.

Thanks.

"Dave Bush" wrote:

Place the files in a different directory and serve them up with an aspx
page. Have the aspx page
Check the Request.UrlReferrer prior to serving them up.

You could also use a 404 error handler so that they look like they are
still gifs, but because you are calling them from a directory different
then they are really in, the 404 handler will kick in and serve up the
file for you.
Dave Bush
http://blog.dmbcllc.com

-----Original Message-----
From: Mike [mailto:Mi**@discussions.microsoft.com]
Posted At: Wednesday, November 28, 2007 9:44 AM
Posted To: microsoft.public.dotnet.framework.aspnet
Conversation: Protect an Image File in ASP.NET Web Project?
Subject: Protect an Image File in ASP.NET Web Project?

Hi. I have an ASP.NET 2.0 web application which contains an Images
directory
with all website images. How can I prevent other websites from creating
img
tags with the source as my images? I want to prevent other websites from
serving my image.

For example - How can I prevent another website from doing this?
<img src="http://mywebsitename/images/image1.jpg"

Is this possible? Thanks

this adds little protection, as image properties will give the url.
checking the urlreferrer will prevent legitimate users, as many
browser/proxies strip this for security.

you best bet is using a 1 time token on the url.

myimage.aspx?id=<access token>

the accesstoken is a key to the actual image to return. the key should
only be good for 1 use (or limited time use).

again this will only stop casual use, a good hacker could beat this.

-- bruce (sqlwork.com)

Dave Bush wrote:

private void Page_Load(object sender, System.EventArgs e)
{
Response.ClearContent();
Response.ClearHeaders();
Response.ContentType = image mime type here;
Response.WriteFile(filename);
Response.End();
}

-----Original Message-----
From: Mike [mailto:Mi**@discussions.microsoft.com]
Posted At: Wednesday, November 28, 2007 10:35 AM
Posted To: microsoft.public.dotnet.framework.aspnet
Conversation: Protect an Image File in ASP.NET Web Project?
Subject: Re: Protect an Image File in ASP.NET Web Project?

Dave - You mention serving them up on an aspx page. What exactly does
that
mean or how would I do that? I understand how to check the
request.urlreferrer, I'm just unfamiliar w/serving an image on an aspx
page.

Thanks.

"Dave Bush" wrote:

>Place the files in a different directory and serve them up with an aspx
page. Have the aspx page
Check the Request.UrlReferrer prior to serving them up.

You could also use a 404 error handler so that they look like they are
still gifs, but because you are calling them from a directory different
then they are really in, the 404 handler will kick in and serve up the
file for you.
Dave Bush
http://blog.dmbcllc.com

-----Original Message-----
From: Mike [mailto:Mi**@discussions.microsoft.com]
Posted At: Wednesday, November 28, 2007 9:44 AM
Posted To: microsoft.public.dotnet.framework.aspnet
Conversation: Protect an Image File in ASP.NET Web Project?
Subject: Protect an Image File in ASP.NET Web Project?

Hi. I have an ASP.NET 2.0 web application which contains an Images
directory
with all website images. How can I prevent other websites from creating
img
tags with the source as my images? I want to prevent other websites from
serving my image.

For example - How can I prevent another website from doing this?
<img src="http://mywebsitename/images/image1.jpg"

Is this possible? Thanks

Bruce is right. But, you need to decide how important protecting those
images is.

You might be able to get away with checking for a session variable that
the calling page created.

Any method you use COULD be hacked. But, they'd have to have some idea
what you were doing first.

Are the images really THAT important? Could you put a visible water mark
on them instead?

-----Original Message-----
From: bruce barker [mailto:no****@nospam.com]
Posted At: Wednesday, November 28, 2007 11:59 AM
Posted To: microsoft.public.dotnet.framework.aspnet
Conversation: Protect an Image File in ASP.NET Web Project?
Subject: Re: Protect an Image File in ASP.NET Web Project?

this adds little protection, as image properties will give the url.
checking the urlreferrer will prevent legitimate users, as many
browser/proxies strip this for security.

you best bet is using a 1 time token on the url.

myimage.aspx?id=<access token>

the accesstoken is a key to the actual image to return. the key should
only be good for 1 use (or limited time use).

again this will only stop casual use, a good hacker could beat this.

-- bruce (sqlwork.com)

Dave Bush wrote:

private void Page_Load(object sender, System.EventArgs e)
{
Response.ClearContent();
Response.ClearHeaders();
Response.ContentType = image mime type here;
Response.WriteFile(filename);
Response.End();
}

-----Original Message-----
From: Mike [mailto:Mi**@discussions.microsoft.com]
Posted At: Wednesday, November 28, 2007 10:35 AM
Posted To: microsoft.public.dotnet.framework.aspnet
Conversation: Protect an Image File in ASP.NET Web Project?
Subject: Re: Protect an Image File in ASP.NET Web Project?

Dave - You mention serving them up on an aspx page. What exactly does
that
mean or how would I do that? I understand how to check the
request.urlreferrer, I'm just unfamiliar w/serving an image on an aspx
page.

Thanks.

"Dave Bush" wrote:

>Place the files in a different directory and serve them up with an aspx
page. Have the aspx page
Check the Request.UrlReferrer prior to serving them up.

You could also use a 404 error handler so that they look like they are
still gifs, but because you are calling them from a directory different
then they are really in, the 404 handler will kick in and serve up the
file for you.
Dave Bush
http://blog.dmbcllc.com

-----Original Message-----
From: Mike [mailto:Mi**@discussions.microsoft.com]
Posted At: Wednesday, November 28, 2007 9:44 AM
Posted To: microsoft.public.dotnet.framework.aspnet
Conversation: Protect an Image File in ASP.NET Web Project?
Subject: Protect an Image File in ASP.NET Web Project?

Hi. I have an ASP.NET 2.0 web application which contains an Images
directory
with all website images. How can I prevent other websites from
creating
img
tags with the source as my images? I want to prevent other websites
from
serving my image.

For example - How can I prevent another website from doing this?
<img src="http://mywebsitename/images/image1.jpg"

Is this possible? Thanks

The images are not THAT important, and I think that one of the methods
recommended here should suffice to accomplish this task.

Right now I think I have a pretty good understanding what you all have
proposed, so I'll get started reviewing them.

Thanks all!

"Dave Bush" wrote:

Bruce is right. But, you need to decide how important protecting those
images is.

You might be able to get away with checking for a session variable that
the calling page created.

Any method you use COULD be hacked. But, they'd have to have some idea
what you were doing first.

Are the images really THAT important? Could you put a visible water mark
on them instead?

-----Original Message-----
From: bruce barker [mailto:no****@nospam.com]
Posted At: Wednesday, November 28, 2007 11:59 AM
Posted To: microsoft.public.dotnet.framework.aspnet
Conversation: Protect an Image File in ASP.NET Web Project?
Subject: Re: Protect an Image File in ASP.NET Web Project?

this adds little protection, as image properties will give the url.
checking the urlreferrer will prevent legitimate users, as many
browser/proxies strip this for security.

you best bet is using a 1 time token on the url.

myimage.aspx?id=<access token>

the accesstoken is a key to the actual image to return. the key should
only be good for 1 use (or limited time use).

again this will only stop casual use, a good hacker could beat this.

-- bruce (sqlwork.com)

Dave Bush wrote:

private void Page_Load(object sender, System.EventArgs e)
{
Response.ClearContent();
Response.ClearHeaders();
Response.ContentType = image mime type here;
Response.WriteFile(filename);
Response.End();
}

-----Original Message-----
From: Mike [mailto:Mi**@discussions.microsoft.com]
Posted At: Wednesday, November 28, 2007 10:35 AM
Posted To: microsoft.public.dotnet.framework.aspnet
Conversation: Protect an Image File in ASP.NET Web Project?
Subject: Re: Protect an Image File in ASP.NET Web Project?

Dave - You mention serving them up on an aspx page. What exactly does
that
mean or how would I do that? I understand how to check the
request.urlreferrer, I'm just unfamiliar w/serving an image on an aspx
page.

Thanks.

"Dave Bush" wrote:

Place the files in a different directory and serve them up with an aspx
page. Have the aspx page
Check the Request.UrlReferrer prior to serving them up.

You could also use a 404 error handler so that they look like they are
still gifs, but because you are calling them from a directory different
then they are really in, the 404 handler will kick in and serve up the
file for you.
Dave Bush
http://blog.dmbcllc.com

-----Original Message-----
From: Mike [mailto:Mi**@discussions.microsoft.com]
Posted At: Wednesday, November 28, 2007 9:44 AM
Posted To: microsoft.public.dotnet.framework.aspnet
Conversation: Protect an Image File in ASP.NET Web Project?
Subject: Protect an Image File in ASP.NET Web Project?

Hi. I have an ASP.NET 2.0 web application which contains an Images
directory
with all website images. How can I prevent other websites from
creating
img
tags with the source as my images? I want to prevent other websites
from
serving my image.

For example - How can I prevent another website from doing this?
<img src="http://mywebsitename/images/image1.jpg"

Is this possible? Thanks