Securing access to other files in an ASP.NET application

  • Thread starter Thread starter NWx
  • Start date Start date
N

NWx

Hi,

I have an ASP.NET app with forms security.
User are allowed to upload files (which are "attached" to user accounts in
database)
Documents are saved in a subfolder of the application, then in a
sub-subfolder with the same name as user account.

For example, for user jo, the document will be saved in
documents/jo/a_picture.jpg
Then after logon, user can see all his attached documents in a datagrid,
with a link to open/download

But, if user remember the url without being logged in, and type it into the
browser's address bar, he/she can open / download the document.

How can I extend the security features of ASP.NET form's security to protect
not only ASPX pages, but also all other documents in application's virtual
folder and subfolders?

Thank you
 
Hi,
Otherwise you'll probably store your restricted files in a private folder
and use Response.Writefile once you've determined the user is authorized:
Click to expand...
http://msdn.microsoft.com/library/d...fsystemwebhttpresponseclasswritefiletopic.asp

So, to use this technique, instead of putting an hardcoded anchor in my
template column, should I put a hyperlink button with appropriate
parameters, so when user click it, it will trigger a server-side event which
will execute a response.writefile, passing the desired file back to browser?

How can I make a folder restricted? Should I do this using WinNT folder
security features, or put it outside of virtual web folder (in a folder not
accessible from the web site)?

Which approach will be better?

Thank you very much for your answer.
 
Yes, you've got the idea.
Standard windows file/folder permissions should be sufficient to protect the
files from direct access.
 
Back
Top