SitePoint Sponsor

User Tag List

Results 1 to 7 of 7

Thread: Image Security

  1. #1
    SitePoint Addict kivison's Avatar
    Join Date
    Dec 2004
    Location
    Whitley Bay, Tyne & Wear, UK
    Posts
    246
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Image Security

    Hi People

    I am putting together a back office app for a local authority where the images are very sensitive, nothing bad just personal information stuff.

    has anyone got any comments on the best way to secure these. I was thinking of hashing the directory name and image so no one would ever be able guess it, for instance the URL of the image would be something like

    https://webname/doc_area/uw8enl4s/m3...nc9a84jgr5.jpg

    Would this be regarded as a secure method if no directory browsing is alowed?

    granted once the user browses to it they would have the image in their cache but I am looking at only giving access to images to the administrators who would have the images on their computers anyway.

    The only other thing I can think of is in some way serving the image back to a temporary directory or inline data which would destroy when the page closes?

    Any thoughts?

    Thanks in advance

    Keith

  2. #2
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,653
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Keith,

    Cache is the least of your worries because most browsers can save images directly (and renamed, if desired). Basically, if you trust the visitors to view the images, they can be saved by each and every one and there's nothing you can do about it. Yes, you can make it more difficult with layered DIVs but that's futile.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  3. #3
    SitePoint Addict
    Join Date
    Apr 2009
    Posts
    357
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Another option is to store the images as BLOB's within a database system on the server, and use all the authentication and security of the dbms to help control access. That way the actual images never exist as files in the server's filesystem.
    Doug G
    =====
    "If you ain't the lead dog, the view is always the same - Anon

  4. #4
    SitePoint Addict kivison's Avatar
    Join Date
    Dec 2004
    Location
    Whitley Bay, Tyne & Wear, UK
    Posts
    246
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks dklynn and Doug G for getting back to me.

    I think that the BLOB idea is worth looking into. I think I remember an example in Kevin Yanks book many many moons ago when learning PHP for the first time.

    Am I correct in thinking though dklynn that even if the image cant be seen by navigating to a folder (using the blob db method), there will still be a cached image on the users machine?

    Thanks in advance

    Keith

  5. #5
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,157
    Mentioned
    190 Post(s)
    Tagged
    2 Thread(s)
    The browser isn't served a BLOB, the BLOB is used to create an image. So the browser will have an image to save if so desired.
    AFAIK there is no way to give something to someone without letting them have it. Can you afford legal avenues when/if need be?

  6. #6
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,653
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Thanks, Mitt, spot on!

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  7. #7
    SitePoint Addict kivison's Avatar
    Join Date
    Dec 2004
    Location
    Whitley Bay, Tyne & Wear, UK
    Posts
    246
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for getting back Mitt

    I think I am going to have to back to them and explain the ramifications of the image provision. I can only serve the images if the IP is an internal address.

    Thanks for all your help guys, You are amazing

    Keith


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •