I facing a bit of trouble right now.. I have an image gallery for which I store images in a folder. Now if I want to access the images without any processing I must keep the folder there where I can directly access it like.. SomeFolder/imageset/image.jpeg but this can't not be protected thoroughly.. second if i keep the image folder in App_Data folder then I must use HttpHandler. this handler is creating a lot of mess because there has to be generated a lot of thumbs and other processing. Which makes the system to repond very slow.. What should I do to protect the user albums and make it snappy..
Asked
Active
Viewed 220 times
0
Spirals Whirls
- 543
- 1
- 8
- 27
-
1one way would be to use config to restrict access and u can create roles and allow/restrict by it see here http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx – Zaki Jun 13 '13 at 12:10
-
No it is the user album so I don't think I can create roles for each individual user.. – Spirals Whirls Jun 13 '13 at 12:15
2 Answers
1
This question comes up in mind most of the time, how to protect images.
Still there is no full proof technology in it, Facebook do some stuff around protecting images.
If you have confidential images either you can store in DB which will be accessible via permission to roles.
As well as if you need Folder only then authorize it to particular roles in Web.config.
(I am assuming the User-Role implementation is there)
Nipun Ambastha
- 2,553
- 1
- 16
- 26
-
Consider like facebook photo albums which belongs to a user.. If he wishes he lets other see it if he does not then it is not accessible by anyone.. roles is not making sense here.. – Spirals Whirls Jun 13 '13 at 12:14
-
Ok, in that case, why don't you store this in DB? and manage user permission at DB level. – Nipun Ambastha Jun 13 '13 at 12:15
-
oh... I recently changed to folder I thought this is creating extra load for the DB as I was told too that DB is not for images in particular and I felt it too.. – Spirals Whirls Jun 13 '13 at 12:17
-
hmm, it does put some extra load however with latest Sqlserver and right queries we can optimize load. – Nipun Ambastha Jun 13 '13 at 12:18
-
I have changed the design of photo album twice and now I am fully confused what should I do – Spirals Whirls Jun 13 '13 at 12:19
-
From what I've read it doesn't seem you can achieve this with a directory specific Web.config? – Stokedout Jun 13 '13 at 12:19
-
no I don't think so... there we can do it on role bases .. in my case roles do not make sense – Spirals Whirls Jun 13 '13 at 12:20
-
@SpiralsWhirls Other wild thought is WCF, if you want it. http://stackoverflow.com/questions/1829269/efficient-way-to-send-images-via-wcf http://forums.asp.net/t/1263151.aspx/1 – Nipun Ambastha Jun 13 '13 at 12:21
-
@Stokedout I was thinking about this http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx – Nipun Ambastha Jun 13 '13 at 12:23
-
-
Generally, this folder is used by your application to store files used in the application like MDF, Xmls etc. So you can give it a go with App_Data, I don't see any harm in this. – Nipun Ambastha Jun 13 '13 at 12:31
-
1
Based on @Nipun's suggestion of using directory specific Web.config files to authorize access you could do the following.
Create a folder /Root/Images/Albums and add a web.config file with the following:
<system.web> <authentication mode="Forms"/> <authorization> <deny users="?"/> </authorization> </system.web>Each time you create a new user specific album, create a sub folder in the albums directory with the user's name ie. /Images/Albums/Stokedout/. And also dynamically create a web.config file which allows only that user to access it.
<system.web> <authentication mode="Forms"/> <authorization> <deny users="Stokedout"/> </authorization> </system.web>
If you do the above then no one else can see each others images. This is however a concept which I haven't tried.
Stokedout
- 11,003
- 5
- 24
- 30
-
hh...ok.. seems interesting to me . I must try this. but right now I think the App_Data folder will be the best choice and the httphandler concept. – Spirals Whirls Jun 13 '13 at 12:36
-
That's cool. But it's worth a try if you are already using Membership services with Forms authentication. It would work for Windows auth too. The only issue would come about if the user was allowed to choose another username which you'd have to adjust the folder and config to. – Stokedout Jun 13 '13 at 12:45