Securing Images under Forms-Based Authentication in ASP.NET Applications

James Coleman

3.78/5 (6 votes)

Oct 22, 2002

2 min read

97243

921

Allows Forms-based authentication to work on non-parsed files such as images.

Download source files - 1.33 Kb

Introduction

One of the great features of an ASP.NET application is the ability to use Forms-based authentication which allows for easy implementation of custom security. In a nutshell, if a user tries to access any page in the application, the system will make sure they are authenticated and if they are not, then they will be redirected to a login page. The problem however is that, this is not the case for images. In most situations this would be fine because the odds of someone guessing the path to a secured image is slim. My client however could not take the chance of the secured images being viewed by non-authorized users.

The solution

Assets directory

First create a directory that will hold the secure images (d:\assets). This directory is not a virtual directory, to prevent access to its files through a browser.

Web.Config

You will want your web.config file to enable Forms-based authentication. Refer to Microsoft Knowledge base article - q308157 for more info, because this is outside of the scope of this article.

I also prefer to use <appSettings> to store application variables as opposed to hard coding paths within the .vb files.

<appSettings>
   <add key="SECURED_ASSETS_PATH" value="d:\assets\" />    
</appSettings>

imageHandler.aspx

This is actually just a blank .aspx page. All of the functionality is in the code behind page in the Page_Load event.

imageHandler.vb

The Page_Load event gets the filename from the querystring and will then open the file into a FileStream object. It then reads the FileStream into a buffer and then uses the Response.BinaryWrite() to return the file to the browser.

Private Sub Page_Load(ByVal sender As System.Object, 
       ByVal e As System.EventArgs) Handles MyBase.Load
        Dim fileName As String = Request.QueryString("src")
        If fileName = "" Then
            fileName = "empty.gif"
        End If
        'in your web.config file be sure to have an 
        'appsetting similar to the following.
        'the "d:\assets\" is where the secured images are 
        'being stored inaccessible from a browser directly
        '<appSettings>
        '<add key="SECURED_ASSETS_PATH" value="d:\assets\" />    
        '</appSettings>
        fileName = AppSettings.Item("SECURED_ASSETS_PATH") & fileName
        Dim fileStream As FileStream
        Dim fileSize As Long

        fileStream = New FileStream(fileName, FileMode.Open)
        fileSize = fileStream.Length

        Dim Buffer(CInt(fileSize)) As Byte
        fileStream.Read(Buffer, 0, CInt(fileSize))
        fileStream.Close()
        Response.BinaryWrite(Buffer)
End Sub

Implementation

With imageHandler.aspx in a Forms-Based authentication web site, you can use it to be the gatekeeper on the images you want security around. If they are not authenticated, then when they try to hit imageHandler.aspx, they will be redirected to the login page. If they are authenticated then imageHandler.aspx will return the image referred to in the querystring. If we wanted to display the secured image customer3233_bankstatement.jpg on the web site, we would do the following:

<IMG src="imageHandler.aspx?src=customer3233_bankstatement.jpg">