tags:

views:

38

answers:

1
Q: 

Protecting images in ASP.NET MVC (w/ custom RouteHandler)

I created a custom RouteHandler for images that I want protected. My RouteHandler simply takes a new route (graphics/{filename}) and does a lookup for the true file path, sets the mime type, and serves it up. That works fine. (http://www.mikesdotnetting.com/Article/126/ASP.NET-MVC-Prevent-Image-Leeching-with-a-Custom-RouteHandler)

What I wanted to do next was to do a check within my custom handler for a session variable that I would set earlier to make sure the person trying to view the image had permission to do so.

Basically, they would pass a login (enter a code), which would set a session variable that I would look for in the custom RouteHandler.

My problem is that I can't seem to get at the session data from within the custom RouteHandler.

Finally, my question is: How can I set data in a controller and have it available to me from within a custom RouteHandler on a subsequent request?

+1  A: 

First, from the RequestContext passed in to the GetHttpHandler method, can you not access the Session via requestContext.HttpContext.Session? I am not sure, I could see this not working by default since it is so early in the pipeline.

If not, you can always easily move the Session checking logic into the handler by adding the IRequiresSessionState interface to your handler.

Rex M  2010-06-26 03:00:44
How would I use IRequiresSessionState? My current setup is that I have a class "ImageRouteHandler" that implements IRouteHandler, then I just have a GetHttpHandler method within that serves up my image.
Brian David Berman  2010-06-29 00:45:23
@Brian The ImageRouteHandler could do the session validation and return a 403 not authorized, which your application then catches and handles. Or you could set up a chained IHttpHandler where the first checks session and then executes the second if it deems it OK.
Rex M  2010-06-29 00:58:59
@Rex I am still just getting null when trying to reference a session variable from within the RouteHandler
Brian David Berman  2010-06-29 01:22:45
@Brian you will not get the session from the RouteHandler. Get it from the HttpHandler, as I noted in the second half of the answer.
Rex M  2010-06-29 12:56:32

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data