Click here to Skip to main content
Click here to Skip to main content

Securing Images under Forms-Based Authentication in ASP.NET Applications

, 21 Oct 2002
Rate this:
Please Sign up or sign in to vote.
Allows Forms-based authentication to work on non-parsed files such as images.

Introduction

One of the great features of an ASP.NET application is the ability to use Forms-based authentication which allows for easy implementation of custom security. In a nutshell, if a user tries to access any page in the application, the system will make sure they are authenticated and if they are not, then they will be redirected to a login page. The problem however is that, this is not the case for images. In most situations this would be fine because the odds of someone guessing the path to a secured image is slim. My client however could not take the chance of the secured images being viewed by non-authorized users.

The solution

Assets directory

First create a directory that will hold the secure images (d:\assets). This directory is not a virtual directory, to prevent access to its files through a browser.

Web.Config

You will want your web.config file to enable Forms-based authentication. Refer to Microsoft Knowledge base article - q308157 for more info, because this is outside of the scope of this article.

I also prefer to use <appSettings> to store application variables as opposed to hard coding paths within the .vb files.

<appSettings>
   <add key="SECURED_ASSETS_PATH" value="d:\assets\" />    
</appSettings>

imageHandler.aspx

This is actually just a blank .aspx page. All of the functionality is in the code behind page in the Page_Load event.

imageHandler.vb

The Page_Load event gets the filename from the querystring and will then open the file into a FileStream object. It then reads the FileStream into a buffer and then uses the Response.BinaryWrite() to return the file to the browser.

Private Sub Page_Load(ByVal sender As System.Object, 
       ByVal e As System.EventArgs) Handles MyBase.Load
        Dim fileName As String = Request.QueryString("src")
        If fileName = "" Then
            fileName = "empty.gif"
        End If
        'in your web.config file be sure to have an 
        'appsetting similar to the following.
        'the "d:\assets\" is where the secured images are 
        'being stored inaccessible from a browser directly
        '<appSettings>
        '<add key="SECURED_ASSETS_PATH" value="d:\assets\" />    
        '</appSettings>
        fileName = AppSettings.Item("SECURED_ASSETS_PATH") & fileName
        Dim fileStream As FileStream
        Dim fileSize As Long

        fileStream = New FileStream(fileName, FileMode.Open)
        fileSize = fileStream.Length

        Dim Buffer(CInt(fileSize)) As Byte
        fileStream.Read(Buffer, 0, CInt(fileSize))
        fileStream.Close()
        Response.BinaryWrite(Buffer)
End Sub

Implementation

With imageHandler.aspx in a Forms-Based authentication web site, you can use it to be the gatekeeper on the images you want security around. If they are not authenticated, then when they try to hit imageHandler.aspx, they will be redirected to the login page. If they are authenticated then imageHandler.aspx will return the image referred to in the querystring. If we wanted to display the secured image customer3233_bankstatement.jpg on the web site, we would do the following:

<IMG src="imageHandler.aspx?src=customer3233_bankstatement.jpg">

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Share

About the Author

James Coleman
Technical Lead Independent Consultant
United States United States
___________________________
J A M E S C O L E M A N
Director, Technical Services
Linked-In: http://www.linkedin.com/in/jameswcoleman
Blog: ledtalks.wordpress.com
Follow on   Twitter   Google+   LinkedIn

Comments and Discussions

 
Generalstuff is good PinsussAnonymous12-Apr-05 18:10 
GeneralViewing Blob bject of having document from Database by using Binarywite method PinmemberNitin Narkar15-Apr-04 4:03 
GeneralHmmm PinsussMike Sanders5-Dec-03 17:29 
GeneralRe: Hmmm PinmemberJames Coleman6-Dec-03 7:20 
GeneralAnother way to handle with IIS PinmemberJames Coleman25-Oct-02 9:31 
I am still looking into performance considerations on which method is the best way to secure images but here is a good article on how to secure images by adjusting some settings in IIS.
 
http://www.dotnetcoders.com/web/Articles/ShowArticle.aspx?article=43[^]
 
-james
GeneralRe: Another way to handle with IIS Pinmembermadheadwork12-Dec-08 5:55 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web02 | 2.8.140821.2 | Last Updated 22 Oct 2002
Article Copyright 2002 by James Coleman
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid