How can I hide/secure image path in asp.net? I don't want the user see image path directly.
I have googled with my problem and found the following URL:
http://www.codeproject.com/KB/web-security/ImageObfuscation.aspx
On this page it suggests changing the image path like this:
<img ID='ImageControl'
src='ShowImage.axd?Path=<% EncryptString("C:\Images\img.ext", Page) %>'
But if user copy this image src and paste it into their browser with the domain name then it will show image.
There's absolutely no way to achieve this, so no need to waste your time and efforts. As long as the browser can show an image, the user can also directly fetch it.
It really depends on what you are trying to achieve.
If you're trying to stop people linking to your images from another site, then the best option would be to extend the handler you mentioned in your question to only return an image if the Request.Referrer is your own site.
This means that if they did then try and link to the image via your handler, they'd only see a broken image/no image, they wouldn't be able to request the image directly in their browsers, etc.
You should also probably include some sort of time stamp in the encrypted path, and reject requests that come from too long ago - this will again limit the validity of the links:
<img ID='ImageControl'
src='ShowImage.axd?Path=<% EncryptString("C:\Images\img.ext|" + DateTime.Now.ToString(), Page) %>'
Then in your handler:
Dim pathAndTimeEnc As String = ctx.Request.Params("Path")
Dim pathAndTime As String
Dim path As String
Dim timeStamp As DateTime
pathAndTime = Common.DecryptString(pathAndTimeEnc, ctx)
Dim parts = pathAndTime.Split("|"C)
path = parts(0)
timeStamp = DateTime.Parse(parts(1))
Dim fiveMin As TimeSpan = New TimeStamp(0, 5, 0)
If DateTime.Now.Subtract(timeStamp) < fiveMin Then
' Return image.
End If
If you're trying to stop people downloading your images then you're not really going to stop more than the most basic internet user - after all to display the image on your site, you'll need to send a copy of it to the client browser.
However, a couple of possible options to make it harder:
Ensure that the images expire immediately, this means the browser shouldn't keep them locally for that long - however it does mean that none of the images will be cached, and you'll end up with higher bandwidth useage for repeat viewers; if you are using the handler you can do this in code:
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetExpires(DateTime.Now);
Use CSS to place a transparent 1x1px image over the top of the images on your site - this way if a user right-clicks on the image to save it, they will get the path to the transparent image rather than the one they are expecting (Flickr does/used to do this)
At the end of the day, if you put some content online, then it's very hard to stop the most dedicated "thief" from taking it and using it.
You could do some hack that symlinks the real image path to some (one time) temporary location which is sent to the client. Once the client has received the image, the symlink can be removed; although... what a hack!
How comes the image path is a secret?
You can do this, but it's going to be a lot of work, people are going to be able to get around it, and so there needs to be a really good reason for doing it and you need to recognize that it will never be a 100% solution. It will (at best) be a solution to prevent the non-technical from grabbing the images. (And even they can use Alt+PrintScreen.) And it will take time away from whatever you're doing that actually generates value.
But:
Basically, you can use one-time paths tied to an IP address. When the page is requested, log the IP address and generate custom image paths for that page basically in the form of "http://example.com/images/alsdkjflaskdf" (or "http://example.com/images/getimage?alsdkjflaskdf" if you can't do custom URL handlers) where the "alsdkjflaskdf" part is an encrypted/obfuscated, one-time-only path to the image that's only valid from that IP address, and only valid for a given time period. Once the time is up or it's been used, purge that generated path from your database (or whatever you're using to keep track).
The paths would be
Limited to the IP address
Time-limited
One-time-only
As you can see, it's a pain, and I could easily work around it with wget. Your time is almost certainly better spent elsewhere.
Store the path in a database or xml. Store some kind of unique id each path and rewrite the handler to query the path from the datasource. You can use like this:
< img ID='ImageControl' src='ShowImage.axd?ID=1 %>'
And the path reamain secret :)
Ok. Reread the original post. Try to store the session whitch page has been seen. And if there is no one or not the page that contain the picture You show a black screen. Yes the visitor can see if use the link after s/he saw the page, but until the session is alive. And the link won't work if s/he link to somewhere.
Related
Here is the example image url I found on Steam.
https://steamcommunity-a.akamaihd.net/public/shared/images/header/globalheader_logo.png?t=962016
The image url gives the same result with or without the ?t=962016. What is it called? And what does it do?
?t=962016
This is a technique to disable browser caching, browser sees it as a new url, and fetches the resource again from web server. The resource can be image, css file, js file etc. This is the most common use case, but can be also used differently by the web server.
There is another use case also. I have done this one of my project.
I have a made all requests to *.jpg handle by a php script.
Eg: mysite.com/user/avatar.jpg?id=100
avatar.jpg is actually a php script which takes the query param (in this case the id 100) and returns the correspond user's avatar (user with id 100). Browser see this as an image. Another advantage is we can disable hot linking directly to this image, as the script can check if the request is originated from the same domain.
IMO there is 2 possibilities
- They put that parameter to avoid the image to be cached, the value of t is random in this case
- The image can be generated by a script, in this case the value of t is the id of the image.
Hi there i need to show an image stored in the oracle database in (blob format i think).i have retrieved the image from database in dataset = dt.rows[0]["image"].how can convert the image to show it on the page.
Thanks.
In order to display it on a page, you need to serve the image as a separate resource from the web server.
Meaning, your page.aspx will have a tag with a src="your_image.aspx". In your_image.aspx, you need to clear response headers, make sure the Content-type is set correctly (image/jpg or something similar), put the contents of dt.rows[0]["image"] into a byte array and then write it out the binary image with something like Response.BinaryWrite(yourByteArray).
This is just a general outline. Use the googles for details :)
I've spent a while trying to find out whether what I want is possible.
I have 3 websites on different domains. Two are in English, one in French. We have one page in english, one in french which are identical apart from the text. These pages and relevant images (we'll call common content) are stored on a separate domain (reasons beyond my control) and use response-writefile to insert the content into the two english pages.
Got all that working fine. However, the images in these common pages have a path relative to domain on which they are stored, which means when the pages are written into the main pages, the images dont show. I understand why and can get around it by putting in the full path of the image.
I would prefer not to go through every single page changing the image path, is there any way of the server knowing or being told that the image is relative to the common content and not the rendered page?
I wouldn't have thought so, but it would save my day if there was!
Further explanation:
Relative path of image:
abc.png
Path of common content file:
http://domain1.com/CommonContent/123.html
Code in final pages (domain2.com/english.html):
<% Response.WriteFile("/CommonContent/123.html"); %>
Rendered path of image (what I don't want):
http://domain2.com/abd.png
Ideal path of image in rendered page: ie, what I want to happen:
http://domain1.com/CommonContent/abd.png
what you can do is use WebClient class to get the page content
String URI = "http://domain1.com/CommonContent/123.html";
WebClient webClient = new WebClient();
Stream stream = webClient.OpenRead(URI);
String request = reader.ReadToEnd();
then you perform a string replace, here I'm not sure what can match, maybe something like this can match:
request.Replace("<src=", "<src=http://domain1.com/CommonContent/")
then you render this string to the browser.
You can make Application Settings having the path for each domain on each application, and then maybe add a function that will be in charge of writing the full path of the pictures. Also you can make an HTTP Module to address this issue as well as a Generic Handler that will receive all requests for images and load them from different domains/applications.
Good luck!
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
What's a queryString doing in this stylesheet's href?
Can someone explain the significance and function of the 1) query string and 2) specific name/value pair (e.g. ?v=3) in the css snippet please?
/*Here is the snippet:*/
.css-class {
background-image: url("/images/sprites.png?v=3");
}
I've seen this used on link tags also on http://html5boilerplate.com/:
<link rel="stylesheet" href="css/style.css?v=2">
It's likely that the URL routes to a static resource on the server, and that the query string is simply a cache-busting modification of the URL. After rolling out a new version of the website's UI, they wanted to make sure none of the old versions of any images were cached on client's machines.
Another common approach is to append a timestamp, which would cause the resource to never be cached.
The query string helps to invalidate the browser cache when the image itself is changed.
Context: Usually you want to define long cache expiration date for static resources such as an image, so that browser don't download the image every time they visit the website. However, if the website owner wants to change the image he would need to wait a long time, until the image expires in all of the visitor's browser caches.
Since he has the query string attached, the website owner can increment the number, when the image has been changed. When the new css file is uploaded, all visitors will see the new image, because it is referenced through a new URL that has not been cached yet.
Found this URL on the HTML5 boilerplate site you linked. http://html5boilerplate.com/docs/Version-Control-with-Cachebusting/
It's like version. WHen there is a new version, owners want you to use new updated one, not one from cache, so ?v is changed and CSS is redownloaded
The URL could refer to a web server that directs the request to a script (e.g. using apache's mod_rewrite), but more likely, the query string is used to make the URL different from a previous version without modifying the actual location, thereby causing browser caches to see it as a different image.
I'm trying to execute an HTTP GET from my website to another website that is brought in via iframe.
On Firefox, you can see in the source that the correct url is in the iframe src along with it's correct parameters-- and it works.
On IE, you can see in the source that the correct url is in the iframe src along with it's correct parameters-- and it doesn't work...
Is there something about IE that doesn't let you pass parameters through an iframe in the querystring?
I've tried refreshing the iframe in IE, I've tried refreshing my page & the iframe in IE, and I've tried copying the url and re-pasting it into the iframe src (forcing it to refresh as if I just entered it into the address bar for that iframe window). Still no luck!
Anyone know why this is happening, or have any suggestions to try to get around this?
Edit: I cannot give a link to this because the site requires a password and login credentials to both our site and our vendor's site. Even though I could make a test account on our site, it would not do any good for the testing process because I cannot do the same for the vendor site. As for the code, all it's doing is creating the src from the backend code on page load and setting the src attribute from the back end...
//Backend code to set src
mainIframe.Attributes["src"] = srcWeJustCreated;
//Front end iframe code
<iframe id="mainIframe" runat="server" />
Edit: Problem was never solved. Answer auto accepted because the bounty expired. I will re-ask this question with more info and a link to the page when our site is closer to going live.
Thanks,
Matt
By the default security settings in IE query parameters are blocked in Iframes. On the security tab under internet options set your security level to low. If this fixes your problem then you know that is your issue. If the site is for external customers then expecting them to turn down their security settings is probably unreasonable, so you may have to find a work around.
Let's say your site is www.acme.com and the iframe source is at www.myvendor.com.
IIRC, most domain-level security settings don't care about the hostname, so add a DNS CNAME to your zone file for myvendor.acme.com, pointed back to www.myvendor.com. Then, in your IFRAME, set the source using your hostname alias.
Another solution might be to have your Javascript set the src to a redirector script on your own server (and, thus, within your domain). Your script would then simply redirect the IFRAME to the "correct" URL with the same parameters.
If it suits you, you can communicate between sites with fragment identifiers. You can find an article here: http://tagneto.blogspot.com/2006/06/cross-domain-frame-communication-with.html
What BYK said. I think what's happening is you are GETting a URL that is too large for IE to handle. I notice you are trying to send variable named src, which is probably very long, over 4k. I ran into this problem before, and this was my code. Notice the comment about IE. Also notice it causes a problem with Firefox then, which is addressed in another comment.
var autoSaveFrame = window.frames['autosave'];
// try to create a temp form object to submit via post, as sending the browser to a very very long URL causes problems for the server and in IE with GET requests.
var host = document.location.host;
var protocol = document.location.protocol;
// Create a form
var f = autoSaveFrame.document.createElement("form");
// Add it to the document body
autoSaveFrame.document.body.appendChild(f);
// Add action and method attributes
f.action = protocol + '//' + host + "/autosave.php"; // firefox requires a COMPLETE url for some reason! Less a cryptic error results!
f.method = "POST"
var postInput = autoSaveFrame.document.createElement('input');
postInput.type = 'text'
postInput.name = 'post';
postInput.value = post;
f.appendChild(postInput);
//alert(f.elements['post'].value.length);
// Call the form's submit method
f.submit();
Based on Mike's answer, the easiest solution in your case would be to use "parameter hiding" to convert all GET parameters into a single URL.
The most scalable way would be for each 'folder' in the URL to consist of the parameter, then a comma, then the value. For example you would use these URLs in your app:
http://example.com/app/param,value/otherparam,othervalue
http://example.com/app/param,value/thirdparam,value3
Which would be the equivalent of these:
http://example.com/app?param=value&otherparam=othervalue
http://example.com/app?param=value&thirdparam=value3
This is pretty easy on Apache with .htaccess, but it looks like you're using IIS so I'll leave it up to you to research the exact implementation.
EDIT: just came back to this and realised it wouldn't be possible for you to implement the above on a different domain if you don't own it :p However, you can do it server-side like this:
Set up the above parameter-hiding on your own server as a special script (might not be necessary if IE doesn't mind GET from the same server).
In Javascript, build the static-looking URL from the various parameters.
Have the script on your server use the parameters and read the external URL and output it, i.e. get the content server-side. This question may help you with that.
So your iframe URL would be:
http://yoursite.com/app/param,value/otherparam,othervalue
And that page would read and display the URL:
http://externalsite.com/app?param=value&otherparam=othervalue
Try using an indirect method. Create a FORM. Set its action parameter to the base url you want to navigate. Set its method to POST. Set its target to your iframe and then create the necessary parameters as hidden inputs. Finally, submit the form. It should work since it works with POST.