Reputation: 3
I don't want the users to directly access images and media by writing the url to the controller in the browser.
I'm using a Autorhizationfilter to check if the user is logged in and should have access to see the image or media, but is there a way to see if the user is requesting the controller directly via the browser or if the request is embedded in the .cshtml or js-files.
Upvotes: 0
Views: 1154
Reputation: 101192
There are no way to get a safe protection for this. Referer easily be be faked when using HttpWebRequest
or similar methods. Referer would work if you just want to protect your images from regular users that doesn't use anything other than a browser.
Another method would be to generate a id for the images which can only be used one time. Instead of writing <img src="/path/to/image.png" />
you write <img src="/controller/image/sdlkjdsjlksdlk" />
where sdlkjdsjlksdlk
is a ID that you map to your image in a session variable. Use ImageResult
to return the image from your controller and delete the ID when the image have been returned.
Upvotes: 2
Reputation: 11319
You might can do this by looking at the StackTrace at run-time through your code, but that's a costly operation and that assumes that the execution paths for both requests are divergent enough to make a determination.
Upvotes: 0
Reputation: 19743
You might be able to check the referrer in Request.UrlReferrer
This would not be very reliable, though.
Upvotes: 0