ASP.NET MVC: Is it possible to see if where the the request comes from?

Question

I don't want the users to directly access images and media by writing the url to the controller in the browser.

I'm using a Autorhizationfilter to check if the user is logged in and should have access to see the image or media, but is there a way to see if the user is requesting the controller directly via the browser or if the request is embedded in the .cshtml or js-files.

Answer 1

There are no way to get a safe protection for this. Referer easily be be faked when using HttpWebRequest or similar methods. Referer would work if you just want to protect your images from regular users that doesn't use anything other than a browser.

Another method would be to generate a id for the images which can only be used one time. Instead of writing <img src="/path/to/image.png" /> you write <img src="/controller/image/sdlkjdsjlksdlk" /> where sdlkjdsjlksdlk is a ID that you map to your image in a session variable. Use ImageResult to return the image from your controller and delete the ID when the image have been returned.

Answer 2

You might can do this by looking at the StackTrace at run-time through your code, but that's a costly operation and that assumes that the execution paths for both requests are divergent enough to make a determination.

Answer 3

You might be able to check the referrer in Request.UrlReferrer This would not be very reliable, though.