Prevent an image to be downloaded / displayed (apart from our application)

Hello all,

I have an image in a database. I assign it to a webPicture.
And I ask my web server to display the webPicture.url.
The problem is that the image is a confidential document.

Please few questions:

• In which folder the file is created?

• This file can be recovered by a third party? (for example: a robot like Google, or by manually typing the URL of the image, or by listing the folder contents, or by making a link from another website, etc.). how to prevent it?

• Is it deleted automatically at the end of the session?

Thank you,
Olivier

[quote=141357:@olivier vidal]- This file can be recovered by a third party? (for example: a robot like Google, or by manually typing the URL of the image, or by listing the folder contents, or by making a link from another website, etc.). how to prevent it?
/quote]

In principle GoogleBot cannot scan your app (it is an unsupported browser) so it should not be able to plunder your picture to cache it into images.google.com unless you allow all browsers indiscriminately.

But nothing really prevents a user to right click the picture and save it. Well. There are ways to prevent the right click but that messes up with ContextualMenu. And it will not prevent people to go into the developer console and search for img, then lift the picture from there.

I have not used it but another approach which could be tried is to “shred” the picture : cut it in several stripes or rectangles, and display them in an assembly of ImageWells the way you would a puzzle. If done well it will display as one picture, but right click will only get a small portion, and it will require some doing to get the whole picture downloaded and reassembled. Nothing is bullet proof, though, but it could be enough.

Thank you Michel, but the customer who sees the image in its application can download it. What bothers me is that other people (eg, competitors of my client) can download this image using the URL.

WebPicture.URL seems to be dynamic and to live only for a short while.

yes, that’s something. I’m also looking at the “anti-leeching/cross-site linking” features of my web server.

Yes. It’s available until the WebPicture object and session go out of scope. URLs are session specific (unless you set the WebPicture.Session property to Nil).

Thank you Greg.

This means that access to the file is denied outside the session?

not to be a debbie downer, but wanted to add.

how will this prevent someone from taking a screen capture of the image with Grab or Snippet for example?

You can never prevent that but at least it’s not the original source.

[quote=141384:@Rich Hatfield]not to be a debbie downer, but wanted to add.

how will this prevent someone from taking a screen capture of the image with Grab or Snippet for example?[/quote]

Looks like that would already be allowed:

You can make it difficult in Internet Explorer. I had to write a document viewer that prevented grabbing screenshots and what I did was if I couldn’t control the clipboard I wouldn’t display the image. Since Internet Explorer was the only browser that let you control the clipboard it was the only one that was usable.

Unless the viewer exist in a virtual machine and you are screen grabbing from a host

Yes and that was a stated limitation before I had started. Though some of the VMs have shared clipboards and with those the “protection” still worked.

Either way this does not help the OP. Sorry!

on a Mac it is next-to-impossible (wont say impossible) to disable taking a screenshot of the webpage/image. I take screenshots of lots of webpages/images on a daily basis.

it does… it reminds the OP that you should do your best to prevent the copying of sensitive data but realize that there is only so much you can do from the technology you are working with.

Being aware of how security measure can be bypass is a means to bring to the table to tell the customer what is and what is not possible.

when there is a will… there is a way.

it does… it reminds the OP that you should do your best to prevent the copying of sensitive data but realize that there is only so much you can do from the technology you are working with.

Being aware of how security measure can be bypass is a means to bring to the table to tell the customer what is and what is not possible.

when there is a will… there is a way.

But the OP wasn’t (or didn’t seem to be) concerned about legitimate access. His client is allowed to download the image anyway, so what does he care about screen capture? The point was, is there a URL floating about the internet that could be sniffed out and used to access the image? The answer appears to be no.

IP specific? Because when I paste the URL of the image in another tab or another browser, the image is displayed even if I do not use webPicture.session property or that I attribute my session to this property.

I’d go the split up image approach and stitch it back together for when the client downloads it
if you split by rows and columns its fairly straight forward to put it together again

The URL is alive only while the session exist. So indeed you can open the picture in another tab, but only while the session is here. As soon as it terminates, the URL goes pumpkin.

But I fail to understand the nature of your exact fear. As you said, the document will be offered for download to the user in the current session. So why on earth would that legitimate user try to steal what he has already paid for and has downloaded ?

The important thing is that someone who has not logged in cannot access the URL, which is already the case.

[quote=142157:@nige cope]I’d go the split up image approach and stitch it back together for when the client downloads it
if you split by rows and columns its fairly straight forward to put it together again[/quote]

The puzzle technique is good only against right click/save. It does not prevent a screen grab.