> > If you really want to only provide content to specific users, you must > provide some sort of access control mechanism. The same mechanism should > apply to images you wish to protect. > Which was the point of this thread. ;-)
On Friday 12 December 2003 11:52 am, Erik Wright wrote: > How does an image get displayed in a page? > > 1. The browser receives an HTML page with an IMG tag in it. The IMG tag > contains a src attr (an HTTP URL). > 2. The browser makes another request, for the URL of the image. > 3. The server returns the image, which is displayed. > > Clearly, if you want an image to be displayed within a web page, the > image must be available on your server. There is no difference between > the browser making a request for an URL and the user typing that URL > into the address bar directly. Maybe you can look at the referer field, > but of course that can be hoaxed so if you are really trying to keep > this secure that is not a solution. > > If you really want to only provide content to specific users, you must > provide some sort of access control mechanism. The same mechanism should > apply to images you wish to protect. > > This is all related to the fundamental workings of HTTP. > > HTTP is an integral part of how the web works - anyone thinking of > designing a website (especially using scripting languages, servlets, or > anyone trying to provide any type of security) should understand at > least the fundamentals of HTTP. > > -Erik > > Christopher Schultz wrote: > > All, > > > >> It would be <img src="http://yourserver/yourservlet?param=paramValue"; > >> alt="something"> > > > > This still doesn't answer the "original" interpreted question. I don't > > think it's possible to display an image on a page and prevent users > > from browsing to it directly from their browser. > > > > The only thing I can think of is to check the REFERER header to see if > > it came from the page on which you want to display it. That's also not > > foolproof... > > > > -chris > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] -- Ben Souther F.W. Davison & Company, Inc. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
