tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jon Yeargers" <j...@lupinesystems.net>
Subject Re: Image Viewing
Date Fri, 12 Dec 2003 23:00:14 GMT
Errr.. right.. to a point - you can store something in the HttpSession
that would indicate that a valid session was underway and to permit the
tag to work. (per YS) In the end _it is_ still just a URL but there are
'other forces at work.'


> How does an image get displayed in a page?
>
> 1. The browser receives an HTML page with an IMG tag in it. The IMG tag
> contains a src attr (an HTTP URL).
> 2. The browser makes another request, for the URL of the image.
> 3. The server returns the image, which is displayed.
>
> Clearly, if you want an image to be displayed within a web page, the
> image must be available on your server. There is no difference between
> the browser making a request for an URL and the user typing that URL
> into the address bar directly. Maybe you can look at the referer field,
> but of course that can be hoaxed so if you are really trying to keep
> this secure that is not a solution.
>
> If you really want to only provide content to specific users, you must
> provide some sort of access control mechanism. The same mechanism should
> apply to images you wish to protect.
>
> This is all related to the fundamental workings of HTTP.
>
> HTTP is an integral part of how the web works - anyone thinking of
> designing a website (especially using scripting languages, servlets, or
> anyone trying to provide any type of security) should understand at
> least the fundamentals of HTTP.
>
> -Erik
>
> Christopher Schultz wrote:
>
>> All,
>>
>>> It would be <img src="http://yourserver/yourservlet?param=paramValue"
>>> alt="something">
>>
>>
>> This still doesn't answer the "original" interpreted question. I don't
>> think it's possible to display an image on a page and prevent users
>> from browsing to it directly from their browser.
>>
>> The only thing I can think of is to check the REFERER header to see if
>> it came from the page on which you want to display it. That's also not
>> foolproof...
>>
>> -chris
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>
>
>
> --
> http://www.spectacle.ca/
> The Online Source for Live Music in Montreal
> .::514.286.1699::.
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message