Best way to secure a silverlight image viewer in a web application?

Question

I have a web application that is secured and stores user detail information in a session object. I am building a Silverlight control to view images that are stored in the database and access to those images needs to be secured. I am not trying to prevent copying or anything like that but I need to make sure that the user accessing the image actually has access to view the image which can be achieved by checking the user data in the session.

So my thoughts were to do the following:

1. Web Application that has hosts the Silverlight control.
2. A ashx file to handle the serving up of the image from the database.
3. The ashx file when accessed via the silverlight control will check the session to make sure they do have access to this image. (I am assuming the silverlight control and web app share the same session, this could be a wrong assumption.)

Does this setup sound correct or are there other ways of approaching this? This will be my first time integrating a Silverlight control into a web application.

Answer 1

Sounds like you want to ensure that nobody is sniffing traffic to determine the URL to your ashx path. Perhaps you don't want that URL being used independently from your page, or for other images that the user/caller shouldn't be seeing.

Have you considered leaving a cookie value for the client? Perhaps a scenario like this:

• when your customer visits the page, it sounds like you want to load an image into a Silverlight control. At the time that you're processing the other data on the page, send a cookie value back to the browser.

• drop a salted/hashed value in a cookie based on the browser/caller AND the image being requested.

• Let's say that the image is someImage.png, and the client's IP address is 10.10.10.10. Use some salt like the image's db identifier to ensure uniqueness between images. Let's pretend it has ID 509.

• Run the string "509_someImage.png_10.10.10.10" through a one-way encryption method (i.e. AES) using a strong key that you keep secret on your end. Let's pretend that your result is 'biglongcrazyrandomstring123', but it will obviously be much longer.

• on the querystring to the call to the image.ashx page, force the include of that value (i.e. image.ashx?img=someImage.png&key=biglongcrazyrandomstring123).

• On the server side, you go to your DB and retrieve the ID for someImage.png. Run the requestor's IP address, the image file name, and the database ID through the same encryption algorithm. Compare THAT value with the value sent in the querystring. If they match, then you know that YOU put the string in their cookie. Rather, you know reasonably that they couldn't have guessed it.

• If anyone tries to mess with that querystring value, it'll fail every time because you're comparing two generated values.

Answer 2

THe silverlight control lives within the context of the browser. I think that if you're silverlight control callse your ashx page, the ashx page will execute under the same session that your web application is running.

When a user logs into your web application, store something in the session to indicate they are authenticated, and check it in your ashx page.

It is a simple scenario to mockup and test.