R – asp.net secure images against static requests from other users


I work on a site that generates dynamic images for each specific user. Sometimes these images contain depictions of very sensitive data. Lately we have started to see requests for images that belong to a different user in the form of


obviously, someone figured out they could access another users images if they created the proper URL. we store the images to the file system to help reduce bandwidth.

  • how can we protect this – some sort of http handler?

  • is there a way of serving the image to take advantage o -f caching without having to write it to the file system and letting IIS do the dirty work?

Best Solution

Use an .ashx:-

TimeSpan maxAge = new TimeSpan(0, 15, 0); //!5 minute lifetiem.

context.Response.ContentType = "image/gif";
context.Response.Cache.SetLastModified(lastModified); // last modified date time of file

You can include what ever code checks you need to ensure the correct users is accessing the image.