Securing access to other files in an ASP.NET application

NWx · Mar 12, 2004

Hi,

I have an ASP.NET app with forms security.
User are allowed to upload files (which are "attached" to user accounts in
database)
Documents are saved in a subfolder of the application, then in a
sub-subfolder with the same name as user account.

For example, for user jo, the document will be saved in
documents/jo/a_picture.jpg
Then after logon, user can see all his attached documents in a datagrid,
with a link to open/download

But, if user remember the url without being logged in, and type it into the
browser's address bar, he/she can open / download the document.

How can I extend the security features of ASP.NET form's security to protect
not only ASPX pages, but also all other documents in application's virtual
folder and subfolders?

Thank you

Steve C. Orr [MVP, MCSD] · Mar 12, 2004

If you store your files in SQL Server then you can let it handle most of
these details.
Here's further information on that techique:
http://www.aspnetpro.com/features/2003/07/asp200307so_f/asp200307so_f.asp

Otherwise you'll probably store your restricted files in a private folder
and use Response.Writefile once you've determined the user is authorized:
http://msdn.microsoft.com/library/d...fsystemwebhttpresponseclasswritefiletopic.asp

NWx · Mar 12, 2004

Hi,

Otherwise you'll probably store your restricted files in a private folder
and use Response.Writefile once you've determined the user is authorized:

http://msdn.microsoft.com/library/d...fsystemwebhttpresponseclasswritefiletopic.asp

So, to use this technique, instead of putting an hardcoded anchor in my
template column, should I put a hyperlink button with appropriate
parameters, so when user click it, it will trigger a server-side event which
will execute a response.writefile, passing the desired file back to browser?

How can I make a folder restricted? Should I do this using WinNT folder
security features, or put it outside of virtual web folder (in a folder not
accessible from the web site)?

Which approach will be better?

Thank you very much for your answer.

Steve C. Orr [MVP, MCSD] · Mar 12, 2004

Yes, you've got the idea.
Standard windows file/folder permissions should be sufficient to protect the
files from direct access.

NWx · Mar 13, 2004

Thank you for your answer

Regards

Steve C. Orr said:
Yes, you've got the idea.
Standard windows file/folder permissions should be sufficient to protect the
files from direct access.

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net

http://msdn.microsoft.com/library/d...fsystemwebhttpresponseclasswritefiletopic.asp

Why are uploaded files to ASP.NET web Application greater than 12MBbeing shown as 0MB?	1	Nov 30, 2012
Run Application (EXE) from ASP.Net C#	7	Sep 2, 2008
subfolders/security	2	Apr 2, 2008
Can we recursively upload files using standard asp.net?	3	Feb 18, 2009
building an asp.net 2 application	5	Feb 19, 2006
ASP.NET Uploading Security Issue?	7	May 11, 2005
Word Document with ASP.NET	2	Jun 7, 2006
Do you want to save or open this file?	4	Nov 24, 2009

Securing access to other files in an ASP.NET application

NWx

Steve C. Orr [MVP, MCSD]

NWx

Steve C. Orr [MVP, MCSD]

NWx

Ask a Question

Similar Threads