One of the great features of an ASP.NET application is the ability to use Forms-based authentication which allows for easy implementation of custom security. In a nutshell, if a user tries to access any page in the application, the system will make sure they are authenticated and if they are not, then they will be redirected to a login page. The problem however is that, this is not the case for images. In most situations this would be fine because the odds of someone guessing the path to a secured image is slim. My client however could not take the chance of the secured images being viewed by non-authorized users.
First create a directory that will hold the secure images (d:\assets). This directory is not a virtual directory, to prevent access to its files through a browser.
You will want your web.config file to enable Forms-based authentication. Refer to Microsoft Knowledge base article - q308157 for more info, because this is outside of the scope of this article.
I also prefer to use
<appSettings> to store application variables as opposed to hard coding paths within the .vb files.
<add key="SECURED_ASSETS_PATH" value="d:\assets\" />
This is actually just a blank .aspx page. All of the functionality is in the code behind page in the
Page_Load event gets the filename from the querystring and will then open the file into a
FileStream object. It then reads the
FileStream into a buffer and then uses the
Response.BinaryWrite() to return the file to the browser.
Private Sub Page_Load(ByVal sender As System.Object,
ByVal e As System.EventArgs) Handles MyBase.Load
Dim fileName As String = Request.QueryString("src")
If fileName = "" Then
fileName = "empty.gif"
fileName = AppSettings.Item("SECURED_ASSETS_PATH") & fileName
Dim fileStream As FileStream
Dim fileSize As Long
fileStream = New FileStream(fileName, FileMode.Open)
fileSize = fileStream.Length
Dim Buffer(CInt(fileSize)) As Byte
fileStream.Read(Buffer, 0, CInt(fileSize))
With imageHandler.aspx in a Forms-Based authentication web site, you can use it to be the gatekeeper on the images you want security around. If they are not authenticated, then when they try to hit imageHandler.aspx, they will be redirected to the login page. If they are authenticated then imageHandler.aspx will return the image referred to in the querystring. If we wanted to display the secured image customer3233_bankstatement.jpg on the web site, we would do the following: