Securing a directory

  • Thread starter Thread starter Simon Harvey
  • Start date Start date
S

Simon Harvey

Hi everyone,

I just read an article that said that when you use a web.config file to
secure a directory, all it can do is secure the asp.net resources in that
directory - not any non .net resources.
For ecample, image files, html and asp files would not be secured.

I didnt actually realise this and it gave me a bit of a fright! Can anyone
suggest the best way to keep a directory secured in an application using
Forms Authentication.

It's not a problem for me at the moment because I havent made a site that
would be affected, but I'm not really sure how I would ensure a directory
was totally locked down should the need arise.

Thanks to anyone who can help

Kindest Regards

Simon
 
Hi Simon,


You can secure a directory via web.config by using the <location> element.
As to non-ASP.NET resources---your source was correct. Your IIS maps a
number of extensions to the ASP.NET ISAPI. Each request for .aspx, .ashx,
..asmx and a number of other extensions is routed through the ASP.NET HTTP
Pipeline. The pipeline provides authentication, authorization, caching and
everything else. On the other hand, .htm, .html, .gif, .jpg, etc extensions
are not serviced by ASP.NET by default to avoid unnecessary overhead. You
*can* reassign them to the ASP.NET ISAPI. I briefly touched on this subject
in my article on custom error pages at
http://www.aspnetresources.com/articles/CustomErrorPages.aspx (scroll down
to "What about HTML pages?").

The bottom line is you can have everything go through the ASP.NET pipeline
but this will incur is certain overhead. If you need code samples of how to
secure downloads of images, pdf's, etc let me know. I'll look up a couple.
 
Milan said:
If you need code samples of how to secure downloads of images, pdf's,
etc let me know. I'll look up a couple.
Click to expand...

I'd be interested in that as well (esp the pdfs)

Ta.
 
Simon Harvey said:
Hi everyone,

I just read an article that said that when you use a web.config file to
secure a directory, all it can do is secure the asp.net resources in that
directory - not any non .net resources.
For ecample, image files, html and asp files would not be secured.

I didnt actually realise this and it gave me a bit of a fright! Can anyone
suggest the best way to keep a directory secured in an application using
Forms Authentication.

It's not a problem for me at the moment because I havent made a site that
would be affected, but I'm not really sure how I would ensure a directory
was totally locked down should the need arise.

Thanks to anyone who can help

Kindest Regards

Simon
Click to expand...


Hi there,

Thanks for your reply!

Those solutions seem a bit convoluted just to keep a directory secure. Do
you know of any simpler way, such as putting the sensitive information
someplace that its directly accessible via the web, and then providing
asp.net code to get the files should a user be authenticated correctly.

Is that possible or am I just being silly!

:-)

Simon
 
Hi there,
Thanks for your reply!

Those solutions seem a bit convoluted just to keep a directory secure. Do
you know of any simpler way, such as putting the sensitive information
someplace that its directly accessible via the web, and then providing
asp.net code to get the files should a user be authenticated correctly.

Is that possible or am I just being silly!

:-)

Simon
Click to expand...

Hi Simon,

You can have one page to control downloads. For example, some kind of a
download.aspx page protected with Forms Authentication. Say you collect user
info and have this page redirect to a PDF/DOC/XLS/etc. If anyone can figure
out your file naming convention (if there's one) they'll know how to bypass
the download page, so it really depends on hw far you want to go with this.
On our company web site we have a few PDFs that we "protect" this way
(http://www.custfeedback.com/resources/default.aspx). Once you click a link
to a PDF, download.aspx collects info and redirects you to the file which
triggers a "save as" dialog.

Does it make sense?
 
Back
Top