Short version: I want to know how in ASP.NET I could bar direct http access
to some files in a directory that match a pattern, but not others. An
alternate solution would be to bar all direct http access to files and
require that any access of the files be mediated by my web application. In
other words, direct access via http://domain.com/app/MyCoolPhoto.jpg would
be forbidden.

Long version: I've written a photo cms and display application that has
organized many tens of thousands of files. It has made different versions of
those files, some of which I am willing to offer to the general public and
most of which I'm not:

jid20040632_pid400017_wissnerslivkachair_001_ld50.jpg
// OK to show to the world
jid20040632_pid400017_wissnerslivkachair_001_ld400watermarked.jpg //
Also OK, it's watermarked
jid20040632_pid400017_wissnerslivkachair_001_fullsized.jpg
// NOT OK! Keep this files matching "..._fullsized" off limits!
[multiply this by 20 other variations.]

I want to limit access to most of those variations. In some cases I imagine
I will be doing that limiting via ASP.NET 2 roles and in other cases I will
be inspecting ServerVariables that are assigned by the Pubcookie auth
framework.

Can someone suggest a server-side approach that works with ASP.NET and that
can't be easily defeated?

Thanks,
-KF

I've documented all you need to know on this subject here:
http://dotnetslackers.com/articles/a...ileDenial.aspx

--
I hope this helps,
Steve C. Orr,
MCSD, MVP, CSM, ASPInsider
http://SteveOrr.net



"Ken Fine" <(E-Mail Removed)> wrote in message
news:f8m0ue$msf$(E-Mail Removed)...
> Short version: I want to know how in ASP.NET I could bar direct http
> access to some files in a directory that match a pattern, but not others.
> An alternate solution would be to bar all direct http access to files and
> require that any access of the files be mediated by my web application. In
> other words, direct access via http://domain.com/app/MyCoolPhoto.jpg would
> be forbidden.
>
> Long version: I've written a photo cms and display application that has
> organized many tens of thousands of files. It has made different versions
> of those files, some of which I am willing to offer to the general public
> and most of which I'm not:
>
> jid20040632_pid400017_wissnerslivkachair_001_ld50.jpg // OK to show to the
> world
> jid20040632_pid400017_wissnerslivkachair_001_ld400watermarked.jpg //
> Also OK, it's watermarked
> jid20040632_pid400017_wissnerslivkachair_001_fullsized.jpg // NOT OK! Keep
> this files matching "..._fullsized" off limits!
> [multiply this by 20 other variations.]
>
> I want to limit access to most of those variations. In some cases I
> imagine I will be doing that limiting via ASP.NET 2 roles and in other
> cases I will be inspecting ServerVariables that are assigned by the
> Pubcookie auth framework.
>
> Can someone suggest a server-side approach that works with ASP.NET and
> that can't be easily defeated?
>
> Thanks,
> -KF
>