Is there any solution available for protecting media files from unauthorized downloading?
I know Dirk is wokring on a project http://our.umbraco.org/projects/protected-media but is there any solution currently available?
alternate approach could be saving media files in database, applying
permissions to these files for related user/member groups, and on
download checking if user has access to this download!
Yes, solution is currently available but no installer package yet (as media types cannot be included in a package), and no installation documentation yet... but you may contact me (dirk at netaddicts dot be) and as I have a demo site available as well as install info.
Can you please send to me at GreatLogics at yahoo dot com
I've not looked at Dirk's solution, and it may work in the same way, but an option is not to link to the image file directly, but to link to a download page and pass the ID of the image in the querystring, assuming it's in the media section. The download page woudl check the users authentication and authorisation settings and then pass the file on, or not, as appropriate.
I've done this, as a proof of concept, to stop the browser from displaying images that have been linked to and instead to prompt the user to save the image, by changing the http headers, to protect the image from unaithorised download, and also log which images are downloaded and by whom.
You can find a thread about this at stackoverflow that's also referenced from another topic here about downloading images
The original topic about downloading PDFs
Thanks Tom sounds like a good idea!
Masood, I've sent a mail with binaries and install instructions and link to demo site.
As far as i can see with your suggestion, the media files are still in the Media folder and therefore not protected from direct download.
You can get to a file if you know it's URL like: http://www.name.com/media/2399/filename.jpg
Someone with acces to the file cane give someone without acces this URL, and they can get to the file without going through the download page.
This might or might not be a problem depending on the security needed for your solution.
Dirks solution solves that problem !!
you are right about the image being able to be downloaded directly, but only if the following conditions are met:
The name of the file isn't shown unless you successfully download it in which case you have already logged in and have access to the file. The path to the image is never shown, but it does have the weakness that it's security by obfuscation, which obviously isn't suitable for every case, but quick and easy to setup where the maximum security isn't required, otherwise I would keep the items in a directory outside the root of the website itself.
Finally you can just let IIS stop serving files from the /media folders if you're streaming it via a proxy page. That way the anonymous user won't have read access to /media but the application pool user will (ie. asp.net reading and streaming the file).
Just a post for everyone who is interested.
I've just released a
media protect package, which allows you to protect media in the same
simple way as you protect content in Umbraco. No additional
configuration needed. Just install the package and it works.
Check out the projects page for more info and a fully functional trial download.