1

I have a folder with pictures 1.jpg, 2.jpg, 3.jpg... Is there any way to prevent user to type the URL like www.example.com/pictures/3.jpg directly into browser and loading that image?

The image should be loaded if web html calls it (< img href=...).

Is that possible to do? Using IIS URL Rewrite or some other technique?

I am using IIS7.5. My goal is to prevent users to see the next image... I know, I could have names encoded, but I have some old database that goes from 1-1000 and I'd somehow like to prevent just users not to browse using url with no refferer... Because every day I am serving one picture and I don't want that they find the rest...

Is that possible at all?

casperOne
  • 73,706
  • 19
  • 184
  • 253
Jerry2
  • 2,955
  • 5
  • 30
  • 39
  • You might be able to use some kind of specially constructed token that IIS could validate. But I doubt it would be worth the time. My answer would be no (at least not worth it). – Jared Farrish Jul 24 '11 at 20:20
  • Thanx. So there is no easy way? – Jerry2 Jul 24 '11 at 20:21
  • I don't see an easy way. You could possibly look into using CSS to display encoded images embedded in a stylesheet (http://www.greywyvern.com/code/php/binary2base64), but I'm not sure it's supported in every browser. We'll see what others have to say. – Jared Farrish Jul 24 '11 at 20:23

1 Answers1

1

You can try it with a url rewrite by relying on HTTP_REFERRER but that's not always accurate and could possibly block users on some browsers from seeing the images on your site as well.

If I were you I would move all of your images outside your web directory (or preferably just block the pictures folder altogether) and then build a php script like this called image.php:

<?php

define('NUM_IMAGES', 1000);

header('Content-Type: image/png');

$image = imagecreatefromjpeg('pictures/'.((int)(time()/86400)%NUM_IMAGES+1).'.jpg');
imagepng($image);

?>

The script above will output an image to the users browser which will change once a day to the next image in sequence and you can use it like: <img src="image.php" />

Then, since your images folder is blocked, nobody can see any other image. Then can still request image.php directly but they'll only see the image of the day.

If you don't want to rotate automatically once a day and want manual control over which image it shows you can also just replace the '.((int)(time()/86400)%1000+1).' with the number of the image you want to display .

If you do want it to rotate automatically, but want to control the time it updates at you can add an offset to time() like: ((time()+$offset)/86400)

Paul
  • 139,544
  • 27
  • 275
  • 264
  • @Jerry2 Good point haha, I'm too used to apache :) I'm sure there's an equivalent IIS way to prevent that folder from being accessible :) – Paul Jul 25 '11 at 04:24