AveniImmism
New Member
Like loading an object from Amazon S3; using a secret key, an access ID and an expiry time, they make the link to the object expire after the requested expiry time. I would like to somehow achieve this on my celebrity stock photo website (logged in members only).My application was built a while ago in Classic ASP and MySql and I've only just got round to hiding my photo directories behind the root of the website, to stop users browsing the photos folder from their browser.. but I want more.My image elements look like this:\[code\]<img src="http://stackoverflow.com/questions/11572024/loadImage.asp?p=12345">\[/code\]...and are written by a recordset loop, 30 per page. On loadImage.asp, I'm using Persits ASP.Jpeg to send the photo to the browser in binary, coming from before the virtual root (c:\inetpub\vhosts\mydomain\lib-images). But if the logged in user types \[code\]loadImage.asp?p=12345\[/code\] in to the browser, the image displays, and then they can change the number and look at the next photo, and that maybe a photo I don't want them seeing - so I need to somehow stop this.One way I thought of, was to create a new table called "signedLinks" or similar, with the following fields:\[code\]IDmemberIDphotoIDsecretKeyexpires\[/code\]... and as my recordset loops through 30 photos, for each row insert a unique secret key, and expiry date of 1 minute to "signedLinks" and then use the secret key as the querystring value for the photo. When the \[code\]loadImage.asp?p=df223moiada83mi231\[/code\] is called, it can can check if that links expiry is safe and show the image.Or after writing all this, I come up with the idea of using a salt and encryption function to create a unique, encrypted version of the photoID, unguessable by the user.Please share your thoughts, ideas. Am I thinking in the right direction? If it's a good idea, is there anything else I should bare in mind?