Reputation: 11311
How can i hide/secure image path?
How can I hide/secure image path in asp.net? I don't want the user see image path directly.
I have googled with my problem and found the following URL:
http://www.codeproject.com/KB/web-security/ImageObfuscation.aspx
On this page it suggests changing the image path like this:
<img ID='ImageControl'
src='ShowImage.axd?Path=<% EncryptString("C:\Images\img.ext", Page) %>'
But if user copy this image src and paste it into their browser with the domain name then it will show image.
Upvotes: 1
Views: 6572
Answers (5)
Reputation: 26956
It really depends on what you are trying to achieve.
If you're trying to stop people linking to your images from another site, then the best option would be to extend the handler you mentioned in your question to only return an image if the Request.Referrer is your own site.
This means that if they did then try and link to the image via your handler, they'd only see a broken image/no image, they wouldn't be able to request the image directly in their browsers, etc.
You should also probably include some sort of time stamp in the encrypted path, and reject requests that come from too long ago - this will again limit the validity of the links:
<img ID='ImageControl'
src='ShowImage.axd?Path=<% EncryptString("C:\Images\img.ext|" + DateTime.Now.ToString(), Page) %>'
Then in your handler:
Dim pathAndTimeEnc As String = ctx.Request.Params("Path")
Dim pathAndTime As String
Dim path As String
Dim timeStamp As DateTime
pathAndTime = Common.DecryptString(pathAndTimeEnc, ctx)
Dim parts = pathAndTime.Split("|"C)
path = parts(0)
timeStamp = DateTime.Parse(parts(1))
Dim fiveMin As TimeSpan = New TimeStamp(0, 5, 0)
If DateTime.Now.Subtract(timeStamp) < fiveMin Then
' Return image.
End If
If you're trying to stop people downloading your images then you're not really going to stop more than the most basic internet user - after all to display the image on your site, you'll need to send a copy of it to the client browser.
However, a couple of possible options to make it harder:
- Ensure that the images expire immediately, this means the browser shouldn't keep them locally for that long - however it does mean that none of the images will be cached, and you'll end up with higher bandwidth useage for repeat viewers; if you are using the handler you can do this in code:
Response.Cache.SetCacheability(HttpCacheability.NoCache);Response.Cache.SetExpires(DateTime.Now); - Use CSS to place a transparent 1x1px image over the top of the images on your site - this way if a user right-clicks on the image to save it, they will get the path to the transparent image rather than the one they are expecting (Flickr does/used to do this)
At the end of the day, if you put some content online, then it's very hard to stop the most dedicated "thief" from taking it and using it.
Upvotes: 2
Reputation: 2181
Store the path in a database or xml. Store some kind of unique id each path and rewrite the handler to query the path from the datasource. You can use like this:
< img ID='ImageControl' src='ShowImage.axd?ID=1 %>'
And the path reamain secret :)
Ok. Reread the original post. Try to store the session whitch page has been seen. And if there is no one or not the page that contain the picture You show a black screen. Yes the visitor can see if use the link after s/he saw the page, but until the session is alive. And the link won't work if s/he link to somewhere.
Upvotes: 0
Reputation: 1074238
You can do this, but it's going to be a lot of work, people are going to be able to get around it, and so there needs to be a really good reason for doing it and you need to recognize that it will never be a 100% solution. It will (at best) be a solution to prevent the non-technical from grabbing the images. (And even they can use Alt+PrintScreen.) And it will take time away from whatever you're doing that actually generates value.
But:
Basically, you can use one-time paths tied to an IP address. When the page is requested, log the IP address and generate custom image paths for that page basically in the form of "http://example.com/images/alsdkjflaskdf" (or "http://example.com/images/getimage?alsdkjflaskdf" if you can't do custom URL handlers) where the "alsdkjflaskdf" part is an encrypted/obfuscated, one-time-only path to the image that's only valid from that IP address, and only valid for a given time period. Once the time is up or it's been used, purge that generated path from your database (or whatever you're using to keep track).
The paths would be
- Limited to the IP address
- Time-limited
- One-time-only
As you can see, it's a pain, and I could easily work around it with wget. Your time is almost certainly better spent elsewhere.
Upvotes: 0
Reputation: 3573
You could do some hack that symlinks the real image path to some (one time) temporary location which is sent to the client. Once the client has received the image, the symlink can be removed; although... what a hack!
How comes the image path is a secret?
Upvotes: 0
Reputation: 1038770
There's absolutely no way to achieve this, so no need to waste your time and efforts. As long as the browser can show an image, the user can also directly fetch it.
Upvotes: 7
Related Questions
- Secret image path in WebForms application
- Load image from an UNC path in network and hide the path
- Hide images from user, restricting directory access
- Prevent users accessing image directory contents
- hiding the path of a file on web server
- How to deny an image's path for a specific user
- How to control access to Image file path without an extra query for authorization
- Can I hide an image path on asp.net page without http Handler?
- How to hide image control when it has no URL?
- image protection in asp.net application