limit access to certain file types

[Kevin Blount]

My current site uses a ASP, database driven, ID based system to allow
people to download files they have the right permissions to, as well as
to send an email to them with necessary support links and passwords and
an email to us with 'who did what and when' info.

a typical link from this system might be

http://www.oursite.com/getfile.asp?id=123

My current task is to allows link directly to the file (for a cleaner
looking link, I suppose) but still drive the emails, etc. My thought
was to use a combo of ASP.NET dlls and IIS6, which for the most parts
works. Esentially I just associate the .exe file extension with
aspnet_isapi.dll and then use web.config and a .net script (index.aspx)
to check permissions etc.

index.aspx does a few things:
1 - checks for existing cookies to see if they are logged into our site
2 - redirects to login page if not
3 - when they are logged in, it checks their user ID against the
database for access to the file
4 - if granted, it sends the emails
5 - it uses FormsAuthentication.RedirectFromLoginPage to give them the
file.

the issue is that the next file they want does NOT do steps 1 thru 4
above, because step 5 sets a cookie, which I have no contorl over, and
that cookies is available for the whole session, so no checks are made,
and no emails are sent.


What I'm looking for it either an alternative to
'FormsAuthentication.RedirectFromLoginPage', which doesn't *redirect*
to the file (as this instigates index.aspx and causes an infinite
loop), or a total new way to link directly to a filename and perform
actions before the file is given to the user.

any ideas??

 

[Nicholas Paldino [.NET/C# MVP]]

Kevin,

You should be able to use an implementation of IHttpHandler. For more
information, check here on how to use them:

http://msdn2.microsoft.com/en-us/5c67a8bd.aspx

The only thing you would have to beyond the code is register the
extension as being handled by ASP.NET, and then change your config file to
use the handler.

Then, you can do what you need in the handler.

Hope this helps.

 

[Kevin Blount]

Hi Nicholas,

Thanks for the suggestion. I took a look at the link, did some reading,
and it does sound like it might work for me. As a test I copied the
code from this page:
http://msdn2.microsoft.com/en-us/ms227433.aspx (C# version, natch <g>)

I adapated the instructions to work for .exe extensions, and the result
of that script does appear when I click a link to test.exe within the
application (/catalog/) where I update the web.config.

i.e. it works!!

the next thing for me to do is figure out which parts of that script I
need to edit to check the database, email the link, and finally
actually let someone grab test.exe. Right now it seems to display the
test message *instead* of downloading the file, which obviously defeats
my proposed use of the script.

Any ideas? I would normally battle it solo (and I will be working on it
once I finish typing this), but a deadline approaches, so any help I
can get is invaluable.

Thanks for posting the link.. it could just work, dammit!

Kevin

 

[Nicholas Paldino [.NET/C# MVP]]

Kevin,

Well, here is where you will have to do some work.

First, you will have to set the ContentType header so that the browser
knows how to process what you are returning.

Then, when that is set, you will have to open the file and write the
contents. In this case, you should be able to pass the name of the file to
the WriteFile method on the Response exposed by the HttpContext passed in.

You can then do the email processing and whatnot in the same method
which processes the request.

 

[Kevin Blount]

Nicholas,

Great! I appreciate the guidance. As a lot of people, when I look at a
script I didn't write it takes me a while to figure out which bit does
what, and THEN I have to make it do what I want it to do heh.

Your quite summary puts me on the write road, especially as I actually
understood it!

Thanks again

Kevin

Kevin,

Well, here is where you will have to do some work.

First, you will have to set the ContentType header so that the browser
knows how to process what you are returning.

Then, when that is set, you will have to open the file and write the
contents. In this case, you should be able to pass the name of the file to
the WriteFile method on the Response exposed by the HttpContext passed in.

You can then do the email processing and whatnot in the same method
which processes the request.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Hi Nicholas,

Thanks for the suggestion. I took a look at the link, did some reading,
and it does sound like it might work for me. As a test I copied the
code from this page:
http://msdn2.microsoft.com/en-us/ms227433.aspx (C# version, natch <g>)

I adapated the instructions to work for .exe extensions, and the result
of that script does appear when I click a link to test.exe within the
application (/catalog/) where I update the web.config.

i.e. it works!!

the next thing for me to do is figure out which parts of that script I
need to edit to check the database, email the link, and finally
actually let someone grab test.exe. Right now it seems to display the
test message *instead* of downloading the file, which obviously defeats
my proposed use of the script.

Any ideas? I would normally battle it solo (and I will be working on it
once I finish typing this), but a deadline approaches, so any help I
can get is invaluable.

Thanks for posting the link.. it could just work, dammit!

Kevin