secure files

Ahmed Galal

i have some files on my .NET host that i want to make it secure for only registed users, if the user types the full path of the file in the address bar he will got the file, i thought about inserting the files into the database, but the database won't have space for all this files,so how to prevent peoples from downloading files by just typing the full path of the file ? any ideas ? thanx

powerlc

If u don't hava a database,you can use xml to save the registed user's User Name & Pass word or other file which can instead of the database. Then------------- code in you *.cs files: page_Load( ...) { //UserName,UserPass pass by WEB UI.TextBox if ( !PostBack ) { string UserName = UName.Text.ToString(); string UserPass = UPass.Text.ToString(); if ( checkUser(UserName,UserPass) ) Page.Visible = true //for registed users else Page.Visible = false; } } ... public bool CheckUser(string UName,UPass) { //check the UserName,UserPassWord.... if { true } return true; else return false; }

minhpc_bk

Hi there, What are the extensions of the files that you want to protect? If they are .aspx, .ashx, ... , then you can place the authorization settings in the web.config file to do that. However, I think you are talking about other files which are not protected by the ASP.NET by default as you said that you thought about using a database. In this case, there are two simple ways come to mind: + You can map those file extensions to the ASP.NET aspnet_isapi.dll similar to the .aspx extension in the IIS snap-in, then you can use the authorization setting to secure the files. + You can rename the files with a new value which is hard to guess for example a guid value, then you simply create a seperate web page which is resposible for reading the file content and writing out to the client side, and basically only authenticated users are able to access this page to download the files.

Ahmed Galal

i think u misunderstood me, the problem isn't in validating users or to check for usernames, and the files may not be asp or aspx files, it may be mp3,mpeg, or any kind of files. thanx for reply.

Ahmed Galal

it maybe any kind of files like mp3,avi or anything else, what do u mean with mapping files to the aspnet_isapi.dll?, and also is there any other ideas than renaming files ? thanx for reply.

minhpc_bk

Hi there, By this I mean the simple way (perhaps, the simplest way) to protect those static files with the ASP.NET engine is to map the file extensions to the ASP.NET ISAPI extension(aspnet_isapi.dll). Once those files are mapped, every time the users try to access a file with a full path, the ASP.NET engine will do the authentication and authorization on the file in the same way as on the .aspx, .config ... files. To do the mapping, you can follow the steps: + In the IIS snap-in, right click the application folder and choose Properties to open the Properties dialog box. + In the Directories tab, click the Configuration button to open Application Mapping dialog box. + In the Mappings tab, click Add to add a new entry for a new extension. The values for the Executable Path and Verbs columns should be the same as those of the .aspx extension. Once the mapping is complete, you can place the authorization settings in the web.config file to prevent unauthenticated user from accessing those files, it's the same as when you do for the .aspx files. In addition to renaming the file, there are two solutions come to mind: + You can put all files into a specific folder, say media, then you can use a url rewriting component to rewrite any request for a file in the media folder to a web page. This web page is basically responsible for reading the selected file content. You can place the authorization setting on this web page in the web.config file or in code of the page to deny any anomymous access. One more thing, you have to rewrite the url at IIS if the file extensions are not mapped to the ASP.NET ISAPI extension, for example http://www.isapirewrite.com/[^]: When the user requests for a file in the media with the url: http://domain/myapp/media/lession1.mp3, at IIS the url will be rewritten to http://domain/myapp/media/download.aspx?filename=lession1.mp3. + You can put the files in a non-accessible folder via a url like the bin folder, then you simply use a web page to read the selected file content. The users are basically required to access the web page to download any files. Above are just some ideas.

Ahmed Galal

thanx very much for this useful ideas, thats what i wanted.