I have a gridview in which one column contains images. I have used lightbox to zoom the clicked image. But when I right click on the image and select an option "Open link in new tab" then the image gets opened in a new tab. that's not a problem.
After that I press log out button. Now I copy that image link and I paste it on the address bar, the same picture get's opened. I want that first it should be checked whether the user has logged in or not and then open the image if he has logged in otherwise not.
All the images of the gridview are stored in a folder named "product images".
I am already checking login status on the page where gridview is used.
Tell me what to do.
Your problem is that security trimming is not applied on your images.
Static resources do not follow the same route as an asp.net page so security trimming is not applied on images.
As long as you have a web.config file that do not allow unauthorized users in that images folder, you could handle the problem by setting at web.config => system.webServer => modules
<modules runAllManagedModulesForAllRequests="true">
... but this would mean that all resources would be routed through the asp.net pipeline which would could generate performance issues.
In response to you question (my solution):
I would actually go through another way, which would be a little more difficult, which would be:
Make the folder product images invisible to any user by using iis Request Filtering (=>Hidden Segments=> Disallow access to that folder)
Then create a custom http handled (.ashx file) in which I would have the image name as a parameter. That handler at ProcessRequest would get the image parameter, open the specific file and stream the data from the image to response.)
That handled could be easy under security trimming, as long as it goes through ASP.NET pipeline so users not logged in would not have access to the handler. Performance would be some slower but only for those specific images. Also note that you should change any direct calls to the images. For example, if you had src='/product images/imageA.png', this should change as src='/ImagesHandler.ashx?image=imageA.png'.
After your comment on difficulty and Abhishek Punj answer I would like to mention:
My solution wouldn't need to register handlers for each file type (what if you add a .jpg file type afterward and haven't registered it?).
Also, even with Abhishek Punj answer you would still need to stream
image data from the image file to response.
In addition, with my solution, you won't need to custom check for
user permissions at ProcessRequest but ASP.NET security trimming
would handle it.
Also, my solutions tries to "protect the folder"
where Abhishek Punj tries to "protect the file type globally".
But most important, Abhishek Punj answer means that ALL IMAGES would go through the ASP.NET pipeline which means that if you had any
images at log on form for example, they wont be shown to the user
too! After all, if you would hanlde all image file types, then why wouldn't you go with runAllManagedModulesForAllRequests="true", without any coding ?
You can create a new handler and register it in IIS for the type of extension that your image file has. In that handler on begin request you can check if the user is authenticated in using the Principle set by the forms authentication. This would not fire for all the static files and hence would perform better than the solution mentioned by George.
However there is one more problem that you will face.. all the static resources are cached by the browser and hence it might not send in a request to the server at all and just display the image to the user without authentication.
To deal with this problem you will need to set the no-cache header in the response from the custom handler you wrote in the first step so that the browser dosent cache the response and always hits the server to serve the response.
Response.AppendHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
Response.AppendHeader("Pragma", "no-cache"); // HTTP 1.0.
Response.AppendHeader("Expires", "0"); // Proxies.
Hope this gives you the desired direction.
EDIT: Based on points raised by George
runAllManagedModulesForAllRequests="true" will not only be triggered for all images it will also be triggerd for all CSS files, and javascript files as well.. hence increasing the overhead.
If you want to specifically restrict files just in a specific directory a very simple way would be to mention the directory as a key in the config and do a regex comparison to check if the request is required to be authenticated or not.. this can also be extended to cater to various files or directories to be included or restricted with a custom configuration section as per need.
As far as registering the handler for requests with other file extensions is considered its a matter of seconds.. not a painful task.
Related
I am using HtmlAgilityPack.
I am downloading articles and images from one web site. 80% images downloading without problem. But some images throwing error. I can see name of error in image_failed event.
I am downloading image like that:
Image = new BitmapImage(new Uri(img.Attributes["src"].Value));
I have searched google and found that this is really WTF problem.
There's a good chance the referrer header is screwing you up. You need to issue the calls yourself (instead of relying on BitmapImage to download the file).
There's a handy snippet/utility that 'extends' xaml and makes it easier to do.
http://blogs.msdn.com/b/swick/archive/2011/08/04/wp7-mango-image-download-with-custom-referer-header.aspx
Edit: Explanation
A lot of sites block requests for images not coming from their sites. That way, if you have http://mysite.com and you link to images in http://cnn.com, they can block images directly linked and redirect them or something.
Now, the reason it works is that the browser controls all calls made from the tag (or from any other mechanism such as AJAX) and it adds the REFERRER HTTP header saying where the request is coming from (http://mysite.com) - and then the cnn.com code can block it.
In .NET desktop, the Referrer header is not automatically added to the request - that means that the call would be blocked by some site that checks for an empty referrer and not for others that don't.
Switch to WP7/8 which is based on Silverlight. In Silverlight, the referrer is the site on which the Silverlight control is hosted. So if you have a SL control running on http://mysite.com and it makes [any] http request, the referrer header will be automatically set for you to http://mysite.com. There's no way to control that afaik (for security reasons). Windows Phone, however, while based on SL, does not need to be bound by the same security constraints. However, when they "ported" the code to Windows Phone, they put some value into referrer into it - the value is actually the package location inside the phone (you can see this by using fiddler). It's literally some path (/apps/storage/[guid]) or something like that - I don't recall the exact value. To fix that, you go and set the referrer to the site on the HTTP headers making the request.
Hope that makes it clear.
I want to run my personal web sites via an httphandler (I have a web server and static ip at home.)
Eventually, I will incorporate a data access layer and domain router into the handler, but for now, I am just trying to use it to return static web content.
I have the handler mapped to all verbs and paths with no access restrictions in IIS 7 on Windows 7.
I have added a little file logging at the beginning of process request. As it is the first thing in the handler, I use the logging to tell me when the handler is hit.
At the moment, the handler just returns a single web page that I have already written.
The handler itself is mostly just this:
using (FileStream fs = new FileStream(Request.PhysicalApplicationPath + "index.htm",
FileMode.Open))
{
fs.CopyTo(Response.OutputStream);
}
I understand that this won't work for anything but the one file.
So my issue is this: the HTML file has links to some images in it. I would expect that the browser would come back to the server to get those images as new requests. I would expect those requests to fail (because they'd be mapped to index.htm). But I would expect to see the logging hit at least twice (and potentially hit recursively). However, I only see a single request. The web page comes up and the images are 'X's.
When I refresh the browser, I see another request come through, but only for the root page again. The page is basic HTML, I do not have an asp.net application (nor do I want one, I like HTML/CSS/JS).
What do I have to do to get more than just the first request sent from the browser? I assume I'm just totally off the mark because I wrote an HTTP Module first, but strangely got the same exact behavior. I'm thinking I need to specify some response headers, but don't see that in any example.
I'm trying to download file from FTP using javascript, for which I created the following topic:
Is it possible to download file from FTP using Javascript?
From there I learned that I can use window.open('ftp://xyz.org/file.zip'); to download the file. It opens a browser new window, but the window closes immediately.
How I can I force it to stay open?
Actually I do all these in Silverlight application:
Here is the code:
HtmlPage.Window.Eval("window.open('" + url+ "', 'Download', 'height=500,width=800,top=10,left=10');");
I also tried this,
string targetFeatures = "height=500,width=800,top=10,left=10";
HtmlPage.Window.Navigate(new Uri(url), "_blank", targetFeatures);
But both results in same : it opens a window, and closes it immediately. I see it just for fraction of second!
I know this doesn't answer your question, and I'm sure you know all of this. I'm answering more because I don't see this point brought up often. :)
Silverlight has very limited support for client interactions. Javascript is a shim that in my opinion gets overused to try and bypass things that Silverlight was architectured against. It would have been very easy for Microsoft to include FTP support in Silverlight but it was excluded for a reason.
However, Silverlight has great support for webservice interactions. So the recommended way of getting a file would be to call a webservice that would do the FTP transfer for you and then send the contents down to the Silverlight application via the webservice. Possibly even processing it on the webservice side for any business logic etc.
Like I said, I suspect your requirement is to not use a webservice (to pass the bandwith cost onto the user most likely). But it'd be interesting to know more about your business problem instead of your technical problem for the solution you've chosen.
It closes because it triggers file download. You can open two windows - one for message and one to download file, but I thiunk user will know it is downloading...
If I were you, I'd open up a page that has whatever visual/UI stuff you'd want to show the user, and either have a META tag that redirects to the download URL, or has a javascript blurb to fire off said download. That way, your window will stay open, but the download will still start automatically.
to keep it open use
var test = window.open();
test.location = 'ftp://openbsd.org.ar/pub/OpenBSD/2.0/arc/kernels/bsd.ecoff';
and to not open any window use
window.location = 'ftp://openbsd.org.ar/pub/OpenBSD/2.0/arc/kernels/bsd.ecoff';
or make a normal link
Remember that a browser is not meant to "display" (visually anyway) the FTP protocol, and not all browsers will suport it. If you want to allow the user to download something, consider using a normal http:// protocol, and opening a window normally as others have suggested.
If you really need the download to be hosted via FTP, consider your backend ingesting (and caching) the file and return it to the user via http
There is nothing to be parsed on the browser's side, hence it closes. If you want to have the page open, you'll have todo something dirty. Like creating a html (or php) page and serve the content you want the user to see, then with a hidden i-frame which will call the FTP contents.
This way your user will see the content you want them to see, and the file is being downloaded.
I had the exact same problem, Silverlight opening a new window for downloading a file would flash a blank window up briefly and it would disappear again without the file download occurring.
This seemed to happen in IE 8 (not 9 and up) and could be fixed by going into Tools->Internet Options->Security then click Custom level... (for whatever zone your site would be in) and go to Downloads->Automatic prompting for file downloads and make sure this is Enabled (I also have File download enabled below that). This Automatic prompting for file downloads setting seems to be absent from IE 9+.
Another workaround is to not open in a new window, if the target url immediately downloads a file it won't change the current window so there's no difference in UX:
HtmlPage.Window.Navigate(new Uri("\download.ashx?fileid=12345"));
My app is a very simple "one page" type app-
It has Default.aspx
I'm basically trying to get, for example:
www.myappurl.com/this is my text
I want to get hold of "this is my text" from the above example.
This will be displayed on the page (for now)
I didn't really want to have to use any complext url rewriting things for this...
(My hosting provider uses IIS6)
I tried using a 404 handler, but this is a bit long winded, and i'm using shared hosting, that can't set the "execute url" on custom 404 pages.
Any other ideas?
You can add a mapping for all requests with the * extension to the ASP.NET isapi dll (GET/POST) verbs. You will need to uncheck the "verify file is on disk" checkbox when mapping the extension in IIS. (In IIS7 integrated mode, you map the extension in the web.config as well). Note that this will caause everything to be served by asp.net, even images and script files, which can slow things down.
Then create a handler mapping in your web.config to a http handler you create.
From there, in the ProcessRequest() method of the handler, you have access to the HttpContext that spawned the request and can manipulate the URL from there.
That is the easiest option, you could also create a HttpModule, or have the default page at root redirect to http://www.domain.com/default.aspx/this is my text, in the code-behind of default.aspx, you will be able to get the text following the page and slash.
File.VBS file should be copied from IIS6.0(File.VBS file will be deployed in IIS along the ASP.NET3.5 application) server to Client “TEMP” folder with out opening the file download dialog box.
Thanks!
As indicated in the comment by Cheeso,
this is not possible!
This would constitute a very dangerous security hole!
Although brief on this topic, the RFC 2616 is none the less explicit on this point, in particular with regards to the User Agent's (read the "Web Browser") duties in that regard.
The receiving user agent SHOULD NOT respect any directory path information
present in the filename-parm parameter, which is the only parameter believed
to apply to HTTP implementations at this time. The filename SHOULD be treated
as a terminal component only.
If this header is used in a response with the application/octet- stream
content-type, the implied suggestion is that the user agent should not display
the response, but directly enter a `save response as...' dialog.