1. The browser receives an HTML page with an IMG tag in it. The IMG tag contains a src attr (an HTTP URL).
2. The browser makes another request, for the URL of the image.
3. The server returns the image, which is displayed.
Clearly, if you want an image to be displayed within a web page, the image must be available on your server. There is no difference between the browser making a request for an URL and the user typing that URL into the address bar directly. Maybe you can look at the referer field, but of course that can be hoaxed so if you are really trying to keep this secure that is not a solution.
If you really want to only provide content to specific users, you must provide some sort of access control mechanism. The same mechanism should apply to images you wish to protect.
This is all related to the fundamental workings of HTTP.
HTTP is an integral part of how the web works - anyone thinking of designing a website (especially using scripting languages, servlets, or anyone trying to provide any type of security) should understand at least the fundamentals of HTTP.
-Erik
Christopher Schultz wrote:
All,
It would be <img src="http://yourserver/yourservlet?param=paramValue"; alt="something">
This still doesn't answer the "original" interpreted question. I don't think it's possible to display an image on a page and prevent users from browsing to it directly from their browser.
The only thing I can think of is to check the REFERER header to see if it came from the page on which you want to display it. That's also not foolproof...
-chris
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- http://www.spectacle.ca/ The Online Source for Live Music in Montreal .::514.286.1699::.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
