How to secure user uploaded files

Question

I have asp mvc project. And in it I have added directory structure:

...
  UserUploads
    User_1
      Images
        Original
        Thumb
        Display
    User_2
    User_n
...

How to make this folder structure invisible to users? I don't want that unauthorized users see this images by typing url. Each user has it's own images and only user that is 'friend' of some user can see it's images. I inspected facebook images and image address is like:

http://a4.sphotos.ak.fbcdn.net/hphotos-ak-ash4/296040_2530953916384_1329592446_32898884_1499197273_n.jpg

So what is the best practice to make user uploaded files secure?

Answer 1

Well, you can use 2 approaches :

1. real security - restrict access to the folder structure entirely, and use only some HttpHandler (or MVC action) to serve them (after evaluating access rights, writing them to response via TransferFile or stream writer..). This is very bad from performance point of view - no caching, entire server side processing for each and every picture, etc..

2. "obfuscation" security - simply generate filenames that cant be guessed (Guid is good candidate), so nobody without access to page that will generate their filename into HTML cant access them directly. Sure, if one "friend" access it, and then give the file URL to unauthorized person, but he can as easily send him the file itself... This way the performance is very good - files are cacheable (by IIS and by client), your app doesnt have to process requests for images, etc.

Answer 2

Just restrict access in web.config file for that UserUploadsFolder:

<location path="UserUploads">
    <system.web>
        <authorization>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>