Nice ideas guys, thanks! :) Sam
----- Original Message ----- From: "Robert Chartier" <[EMAIL PROTECTED]> To: "ActiveServerPages" <[EMAIL PROTECTED]> Sent: Friday, October 11, 2002 10:43 PM Subject: RE: Prevent image linking > > Of course REFERRER can be hacked... > > You could REFERRER as a first line though. > > The FSO method described by Neal, although it was a good idea, may lead > to some issues when too many requests are coming in, locking files, > images not showing up, etc.. Kind of ugly. > > ..off the top of my head... > > > What about having a rolling querystring value that has to be supplied > also? Something along these lines: > > -the user hits YOUR site, and you set a cookie (a GUID). > -you keep that GUID and expire it, every 5 min or so > (that is generate a new one, and set in cookie) > -have the GUID global for all users > -whenever you want to get an image, > pull that GUID and shove it into the image url > validate it in your database > -delete all GUID's older than 10 minutes > meaning images pulled with that GUID after 10 minutes will be > invalid > > ..this means.that they MUST hit your site, get the GUID, and send that > along with image requests. At least every 5 minutes. > > You could even intelligently generate valid GUIDs based on their > requests...Take IP + Image ID's + whatever to build the valid > request..which then your script will validate. We all know that IP is > usually not a very good thing to use, but since we are talking about a > single request in this case it seems to be acceptable.... > > > > > > > -----Original Message----- > From: Chris Janz [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 11, 2002 8:40 AM > To: ActiveServerPages > Subject: RE: Prevent image linking > > > use HTTP-REFERRER (or equivelant) > > -chris > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 11, 2002 11:40 AM > To: ActiveServerPages > Subject: Re: Prevent image linking > > > I'm wondering if perhaps you use the FileSystemObject in this way: > > Whatever your imagename is append a "1" to the end of the filename. Run > a script so that every hour the number appended to your filename gets > changed so at 0200hrs your image is called something like Imagename2 and > at 0300 hours it is called Imagename3 etc. Also modify your links to > check the time of day and alter the filename you are linking to > accordingly. > > That way anyone linking directly to your images would have to sit there > 24 hours a day modifying their links. > > > Quoting Sam Thompson <[EMAIL PROTECTED]>: > > > Hi guys, I want to protect the images on my site and stop people from > > linking to them. > > > > The images are uploaded and I store the file name in the database, > > then when I display the image I do something like this: > > > > <img src=GetPicture.asp?23> > > > > In GetPicture.asp Ive got: > > > > <% > > .... > > SELECT FileName FROM Pictures WHERE PictureID = PictureID > > Response.Redirect objRS("FileName") .... > > %> > > > > This displays the image, no probs. But I want to stop people from > > linking to this image or displaying it on other sites, so I tried: > > > > <% > > If Request.ServerVariables("HTTP_HOST") = "www.myURL.com" Then .... > > SELECT FileName FROM Pictures WHERE PictureID = PictureID > > Response.Redirect objRS("FileName") > > .... > > Else > > Response.Redirect "someotherimage.gif" > > End If > > %> > > > > However this seems to have no effect, anyone got any suggestions? > > > > Thanks > > > > Sam > > > > > > --- > > You are currently subscribed to activeserverpages as: > > [EMAIL PROTECTED] To unsubscribe send a blank email to > > %%email.unsub%% > > > > > > > > --- > You are currently subscribed to activeserverpages as: > [EMAIL PROTECTED] > To unsubscribe send a blank email to > %%email.unsub%% > > > --- > You are currently subscribed to activeserverpages as: > [EMAIL PROTECTED] > To unsubscribe send a blank email to > %%email.unsub%% > > > --- > You are currently subscribed to activeserverpages as: [EMAIL PROTECTED] > To unsubscribe send a blank email to %%email.unsub%% > --- You are currently subscribed to activeserverpages as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED]
