file permission

[Guest]

Hello

I develop a web application with form authentication by C#.NET. Authorized users can upload/download files to/from the web server. But I meet a problem: any user can download any file on the web server once they know the file's URL. Do you know how to prevent this?

Thanks in advance.

 

[Michael Mayer [C# MVP]]

You need to put the files in a private folder (or a database), and then have
an asp.net page return the file.

Here's a couple of articles that shows how to do that:
http://www.123aspx.com/redir.aspx?res=30958
http://www.aspfree.com/c/a/ASP.NET-Code/File-download-using-C-by-MVadivel/

That would make your url's look something like this:
fake://mydomain.com/GetDoc.aspx?name=document.doc

If you want more pleasing URL's, then you can combine this with URL
rewriting.

This is one of the most useful rewriting articles I've found. (But there are
several out there, search for: url rewriting httpmodule
http://www.codeproject.com/aspnet/urlrewriter.asp

You wouldn't need all the regular expressions code, instead just check if
the url is something like:
/uploads
and then simply rewrite the url to be
http://mydomain.com/GetDoc.aspx?url=(oldurl)


--
Mike Mayer, C# MVP
(e-mail address removed)
http://www.mag37.com/csharp/

Hello,

I develop a web application with form authentication by C#.NET. Authorized

users can upload/download files to/from the web server. But I meet a
problem: any user can download any file on the web server once they know the
file's URL. Do you know how to prevent this?