I am a student web developer and I have problems regarding protecting images from href access

I am making a photo sharing website that has an option that a user uploads an image to an album(folder) and selects an option that is either to keep the album public or private. If the album is public then href access is enabled (i.e for example www.photosharingsite.com/username/pictures/album1/image.jpg) but if the album is opted private then href acces is disabled (i.e the mentioned link shows an error page or forwards to a default page) I have two options

1. Uploading and saving images to database.
or
2. Uploading images to folders.

Please tell me what is the best option? For 1st option: I know how to save images to databases but don't know how to make them private (preventing href access). And for 2nd option: I also know how to upload images to folders but Dont know how to protect images in them from direct access

I have heard uploading large images to databases is bad idea...wht u say :S...Please help me! I will be very thankful of you

Hi

     It's better to upload Images in folder than Database.You can save the Imagename in database and using that filename you can retrieve it from the folder.

 When the user is uploading image,save the private or public mode in database also.

And about hiding images for private option use linkbutton or Hyperlink than HTML link so that you can check whether the Images are specified as public and then You can show the link or else just set Visible =false.

I suggest the following:

Save the files to a folder that is not directly accessible by anyone.

Register the name of the file, the id of the user to which it belongs, and a flag indicating if it's public or private in a table in your database.

Now create an HttpModule for serving your images. You do this by implementing the IHttpModule interface.

In your httpmodule code, you check the request url to find out which image is being requested and to whom it belongs. Now check against the database to see if it's public or private.

If it's public you write it to the response stream (remember to set content type to image/jpeg) by reading it from disk and writing it to Response.OutputStream.

If it's private you either just end the response (eg. with a access denied http code) if the requestor is not the owner of the picture, or serve the picture otherwise.

To learn more about creating your own httpmodule read this: http://msdn2.microsoft.com/en-us/library/ms227673.aspx

Hope it points you in the right direction.

/Klaus

Hi there,

1. Saving images in folders is always a good idea, however for simplicity you may consider storing images in Database as modern databases are damn good.

2. For protecting images, there is no easy way as you can either flash them that disallows people not to be able to save them, or use watermarks in the image. Flash present a usability problems, hence I am proposing a watermarking solutions as in here http://blog.donnfelker.com/2007/09/18/WatermarkingImagesInASPNETWithAnHttpHandler.aspx

Hope that helps..

Klaus Byskov Pedersen:

I suggest the following:

Save the files to a folder that is not directly accessible by anyone.

I'd argue for the database myself. The perf hit is negligible these days, images are relatively small, it's easier to secure, you don't have to name files with GUIDs, and you get transactions for free.

Klaus Byskov Pedersen:

Register the name of the file, the id of the user to which it belongs, and a flag indicating if it's public or private in a table in your database.

Now create an HttpModule for serving your images. You do this by implementing the IHttpModule interface.

In your httpmodule code, you check the request url to find out which image is being requested and to whom it belongs. Now check against the database to see if it's public or private.

If it's public you write it to the response stream (remember to set content type to image/jpeg) by reading it from disk and writing it to Response.OutputStream.

Obviously, not all images are JPEG - so you should store the mime type of the uploaded file and use it in the response. Also, if you store it on disk, you can just use Response.WriteFile(string).

Klaus Byskov Pedersen:

 

If it's private you either just end the response (eg. with a access denied http code) if the requestor is not the owner of the picture, or serve the picture otherwise.

To learn more about creating your own httpmodule read this: http://msdn2.microsoft.com/en-us/library/ms227673.aspx

Hope it points you in the right direction.

/Klaus

I'd just add (in case it's not clear) that you'd use whatever authentication you already have in place to determine if the requestor is the owner of the pic. That'd probably be Forms authentication.

thankyou naturehermit... this really helped me :)

In my case images can be upto 1 GB so in this case images arnt gona be small

Klaus Byskov Pedersen:

I suggest the following:

Save the files to a folder that is not directly accessible by anyone.

Register the name of the file, the id of the user to which it belongs, and a flag indicating if it's public or private in a table in your database.

Now create an HttpModule for serving your images. You do this by implementing the IHttpModule interface.

In your httpmodule code, you check the request url to find out which image is being requested and to whom it belongs. Now check against the database to see if it's public or private.

If it's public you write it to the response stream (remember to set content type to image/jpeg) by reading it from disk and writing it to Response.OutputStream.

If it's private you either just end the response (eg. with a access denied http code) if the requestor is not the owner of the picture, or serve the picture otherwise.

To learn more about creating your own httpmodule read this: http://msdn2.microsoft.com/en-us/library/ms227673.aspx

Hope it points you in the right direction.

/Klaus