Reputation: 4607
Prevent users accessing image directory contents
I am creating a site using ASP.NET MVC4, one of the functions on the site is for users to upload images. The images may be of a personal nature, almost definitely containing images of their children.
The images are being stored on MS Azure SQL Database along with their metadata. To save bandwidth usage on azure, once the image has been downloaded, it saves to a user directory
~/UserImages/<Username>/<Image>
When the gallery page is loaded, the controller action checks the database against what is in the users directory and just brings down any not already there.
The <Username> part of the directory is created by the controller when required, so I am unable to set IIS permission on it. However even if I was, I am unsure what IIS could do as the users are not known in advance (new registrations etc).
Due to MVC routing, it wont be possible for users to access other users directories by guessing usernames, however if you can guess a username AND imagename, then it does display. I am looking for ideas on preventing that from happening to minimise the chance of someone elses images becoming exposed to others.
I have tried an IgnoreRoute but this didn't work.
routes.IgnoreRoute("UserImages/{*pathInfo}");
Ideally I would have the UserImages directory cleared on logout but not everyone will use logout command. If they were cleared out there is a much smaller chance of something finding the combination of username and imagename before the files are removed.
Upvotes: 2
Views: 792
Answers (1)
Reputation: 11396
How about instead of storing your cached images within the actual site structure as static content fed by IIS, you store the images in a path outside the site.
That would ensure no unauthorized user could access them directly.
Then you can provide access to those images through a Controller (UserImagesController maybe) Action that can validate that the image being requested is one to which the current user has access.
Your check might end up being as simple as checking the requested UserName parameter of the action is the same as your current user's UserName.
With this approach you can also control the cache headers, expiration, etc, of those images.
Upvotes: 1
Related Questions
- How to Deny Access to specific folder in ASP.Net MVC 5
- MVC Prevent URL manipulation attacks for image files
- ASP.NET MVC: how to prevent unauthenticated user to directly GET images?
- Asp.net mvc restrict specific users to access folder content
- Restrict image access, making them only accessible from within .NET web application
- Hide images from user, restricting directory access
- How to prevent direct access to images in ASP.NET MVC?
- How to deny an image's path for a specific user
- How to control access to Image file path without an extra query for authorization
- protecting files with asp.net (mvc)