4

i am developing website there some files which are placed in folder and also provided the links of those files for user so that they can download those files, i am just allowing authenticated user not all but as if there is any user who know the link of file directly put it in address bar and get that file, can anyone tell me that how i can make sure that the file downloaded only by the authenticated user not all users.

Emaad Ali
  • 1,483
  • 5
  • 19
  • 42

6 Answers6

3

If you have all your files in one folder then you only need to place web.config file in this folder with following content:

<configuration>
    <system.web>
        <authorization>
            //disallow anonymous users
            <deny users="?"/>
        </authorization>
    </system.web>
</configuration>

You can find more detials here.

TheVillageIdiot
  • 40,053
  • 20
  • 133
  • 188
3

You don't want to provide links to the actual files. Your best bet is to store the files in a non-web accessible location, or set permissions on the folder so that it is only accessible to your application, not anonymous users.

You can maintain a list of user specific files in a user_files table in your database, and then link to a download script which defines the filename as a variable, and delivers the user file as an octet stream.

string _fileName;

string _path = /*some user specific path*/ + "FileDir/" + name;

System.IO.FileInfo _file = new System.IO.FileInfo(_path);

if (_file.Exists)

{
    Response.Clear();
    Response.AddHeader("Content-Disposition", "attachment; filename=" + _file.Name);
    Response.AddHeader("Content-Length", _file.Length.ToString());
    Response.ContentType = "application/octet-stream";
    Response.WriteFile(_file.FullName);
    Response.End();
}
Canuteson
  • 598
  • 1
  • 4
  • 11
2

If you're using asp.net roles and authentication then you can do something like this in your web config...

<location path="Admin">
  <system.web>
    <authorization>
      <allow roles="Administrator" />
      <deny users="?" />
    </authorization>
  </system.web>
</location>
BenCr
  • 5,991
  • 5
  • 44
  • 68
  • did it allow the un-authenticated user which visited the website to download the file?i want that the user don't have direct access from browser example http://localhost:434/application/text.pdf – Emaad Ali Mar 15 '11 at 11:21
  • Yes it would. This example would prevent anyone who isn't authenticated and in the role Administrator from accessing anything in the Admin directory. – BenCr Mar 15 '11 at 11:40
2

You should not show direct link to the file, you shoud create something like proxy(i suppose http handler good fit for that). In handler you shoud check that user authentificated(probably check some value from the session), if so than return file, otherwise return not found or something else.
So urls for all files will looks like this:

http://localhost/filesHandler.ashx?file=pathToFile
Andrew Orsich
  • 52,935
  • 16
  • 139
  • 134
  • 2
    Be very careful with this. I recently had to deal with an application that took the pathToFile as given, and allowed anything to be downloaded from the server – m.edmondson Mar 15 '11 at 11:27
  • @m.edmondson: Yes, need to diable direct file downloads. In additional instead of path to file better use something like file hash. – Andrew Orsich Mar 15 '11 at 11:33
  • @m.edmondson: No, random generated hash(or hash from filename + fileId or something like this). – Andrew Orsich Mar 15 '11 at 11:37
  • @m.e Another option will be to have some sort of "mapping", each file will be mapped to some unique ID (can't be simple 1, 2, 3 integers) and the `ashx` will get that ID only. – Shadow The GPT Wizard Mar 15 '11 at 11:49
  • Why bothere writing all this extra code when he can take advantage of the location element of web.config which takes no code? The only reason for me would be that he's using some totally propriatry authentication system and not the built in method. – BenCr Mar 15 '11 at 12:54
2

One solution: do not put a link directly to that file in your site and don't put those files where a visitor could guess the location.

Instead use a link like "download.aspx?file=filename". Then in that download.aspx you can verify the user and Response.WriteFile that file.

(a Download.ashx would also work)

Hans Kesting
  • 38,117
  • 9
  • 79
  • 111
-1

Just, you need to check login user is authenticate user on file download Page_Load event page. if it is authenticate then allow access to user to download the file else not.

Suresh Chaudhary
  • 1,609
  • 5
  • 25
  • 40