I am using asp.net and my users need to upload private pictures to my server. This pictures cannot in anyway get spread so I need to protect them in some way. What is the easiest way to protect them from public use so only the authorized user can reach them?
Thanks!
Use an asp.net handler instead of serving the images directly. This way you can have a granular control over authorization when serving the image.
Also, keep the images out of public folders, so users can't download them i.e. store them outside the folder for the web site or on a database.
Check this for a bit more info on handlers: http://www.wrox.com/WileyCDA/Section/id-291916.html. Both samples serve images, but they are focused on pretty specific scenarios. As you can see in those, you have complete control over the logic you implement in there, so you could check if the user requesting the image is authorized to download the specified image.
Would you like the public to be able to view the images, but make it a tiny bit harder to download them?
If so, you could look into the way Flickr does it, for anybody that opts out of allowing downloads. They lay a transparent GIF image over the top of the real image, to prevent downloading the image by right-clicking it.
It is still pretty easy to download them, because as a rule of thumb anything the public can view, they can save to their hard disk. I therefore see attempts to prevent downloads of publicly viewable material as fairly futile; and mostly just a violation of usability. Perhaps you should think about legal avenues rather than obfuscation; state your copyright notice and any license you want clearly and be prepared to pursue anyone who steals them.
Would you like to allow people to view and download images from your site, but not to hotlink them from other sites?
If so, the key is to detect the referer (sic) header sent, and deny the image if the referer is not a match. Note that if the referer is blank, you have to trust it by default, as a lot of people's browsers legitmately don't send a referer even when viewing on your own page.
This is usually done in a server directive; if you were using Apache, you would do it in an .htaccess file using mod_rewrite directives. If you are on IIS, however, then I'm less clear, though these instructions may or may not help.
Or, do you want to prevent the public from being able to view them at all? If so, you would just need to use access control on whatever server you are using - here's access control instructions for IIS.
Hi again!
Thanks for your answers, what I want to do is make sure that just the user that uploaded the photos will be able to reach them. The user that uploaded the photos should be able to download them or whatever he wants. Can I just put the photos in a directory over the actual website, will this be enough so noone can browse the photos?
You might want to look at this question for some ideas: secure images against static requests