R – asp.net secure images against static requests from other users

asp.netimagesecurity

I work on a site that generates dynamic images for each specific user. Sometimes these images contain depictions of very sensitive data. Lately we have started to see requests for images that belong to a different user in the form of

http://myapp/images/someuid/image1.jpg

obviously, someone figured out they could access another users images if they created the proper URL. we store the images to the file system to help reduce bandwidth.

  • how can we protect this – some sort of http handler?

  • is there a way of serving the image to take advantage o -f caching without having to write it to the file system and letting IIS do the dirty work?

Best Solution

Use an .ashx:-

TimeSpan maxAge = new TimeSpan(0, 15, 0); //!5 minute lifetiem.

context.Response.ContentType = "image/gif";
context.Response.Cache.SetCacheability(HttpCacheability.Private);
context.Response.Cache.SetExpires(DateTime.UtcNow.Add(maxAge));
context.Response.Cache.SetMaxAge(maxAge);
context.Response.Cache.SetLastModified(lastModified); // last modified date time of file
context.Response.WriteFile(filenameofGif);

You can include what ever code checks you need to ensure the correct users is accessing the image.