Click here to Skip to main content
13,357,648 members (62,229 online)
Click here to Skip to main content
Add your own
alternative version


44 bookmarked
Posted 21 Oct 2002

Securing Images under Forms-Based Authentication in ASP.NET Applications

, 21 Oct 2002
Rate this:
Please Sign up or sign in to vote.
Allows Forms-based authentication to work on non-parsed files such as images.


One of the great features of an ASP.NET application is the ability to use Forms-based authentication which allows for easy implementation of custom security. In a nutshell, if a user tries to access any page in the application, the system will make sure they are authenticated and if they are not, then they will be redirected to a login page. The problem however is that, this is not the case for images. In most situations this would be fine because the odds of someone guessing the path to a secured image is slim. My client however could not take the chance of the secured images being viewed by non-authorized users.

The solution

Assets directory

First create a directory that will hold the secure images (d:\assets). This directory is not a virtual directory, to prevent access to its files through a browser.


You will want your web.config file to enable Forms-based authentication. Refer to Microsoft Knowledge base article - q308157 for more info, because this is outside of the scope of this article.

I also prefer to use <appSettings> to store application variables as opposed to hard coding paths within the .vb files.

   <add key="SECURED_ASSETS_PATH" value="d:\assets\" />    


This is actually just a blank .aspx page. All of the functionality is in the code behind page in the Page_Load event.


The Page_Load event gets the filename from the querystring and will then open the file into a FileStream object. It then reads the FileStream into a buffer and then uses the Response.BinaryWrite() to return the file to the browser.

Private Sub Page_Load(ByVal sender As System.Object, 
       ByVal e As System.EventArgs) Handles MyBase.Load
        Dim fileName As String = Request.QueryString("src")
        If fileName = "" Then
            fileName = "empty.gif"
        End If
        'in your web.config file be sure to have an 
        'appsetting similar to the following.
        'the "d:\assets\" is where the secured images are 
        'being stored inaccessible from a browser directly
        '<add key="SECURED_ASSETS_PATH" value="d:\assets\" />    
        fileName = AppSettings.Item("SECURED_ASSETS_PATH") & fileName
        Dim fileStream As FileStream
        Dim fileSize As Long

        fileStream = New FileStream(fileName, FileMode.Open)
        fileSize = fileStream.Length

        Dim Buffer(CInt(fileSize)) As Byte
        fileStream.Read(Buffer, 0, CInt(fileSize))
End Sub


With imageHandler.aspx in a Forms-Based authentication web site, you can use it to be the gatekeeper on the images you want security around. If they are not authenticated, then when they try to hit imageHandler.aspx, they will be redirected to the login page. If they are authenticated then imageHandler.aspx will return the image referred to in the querystring. If we wanted to display the secured image customer3233_bankstatement.jpg on the web site, we would do the following:

<IMG src="imageHandler.aspx?src=customer3233_bankstatement.jpg">


This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


About the Author

James Coleman
Technical Lead Independent Consultant
United States United States
Director, Technical Services

You may also be interested in...


Comments and Discussions

Generalstuff is good Pin
Anonymous12-Apr-05 19:10
sussAnonymous12-Apr-05 19:10 
GeneralViewing Blob bject of having document from Database by using Binarywite method Pin
Nitin Narkar15-Apr-04 5:03
memberNitin Narkar15-Apr-04 5:03 
GeneralHmmm Pin
Mike Sanders5-Dec-03 18:29
sussMike Sanders5-Dec-03 18:29 
GeneralRe: Hmmm Pin
James Coleman6-Dec-03 8:20
memberJames Coleman6-Dec-03 8:20 
GeneralAnother way to handle with IIS Pin
James Coleman25-Oct-02 10:31
memberJames Coleman25-Oct-02 10:31 
GeneralRe: Another way to handle with IIS Pin
madheadwork12-Dec-08 6:55
membermadheadwork12-Dec-08 6:55 
This link is broken can you please provide another link?

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.180111.1 | Last Updated 22 Oct 2002
Article Copyright 2002 by James Coleman
Everything else Copyright © CodeProject, 1999-2018
Layout: fixed | fluid