How to protect a link that will only be downloaded by specific users?

I have the following case and I want to ask what's the best solution?

I have a specific file where I want certain users (according to some permissions) to download that file.

so I only show this file to authorized users, but what if someone (not authorized) recognizes the link to the file (knows the link url

) and downloads it !!

How can I only allow this file to be loaded with authorized users

.

+3


source to share


5 answers


Place the file in a directory that is not served by the web server and implement a handler for the "virtual url", which in turn checks for permissions, etc. - a possible way could be an ASHX handler (see here for sample code and here for MSDN help).



+3


source


My answer: Don't use direct links!

Create Download.aspx and add download links to Download.aspx? params

Parameters must be encrypted / hashed containing filename + name to load and session_id.



In Download.aspx, confirm that the session_id is valid and active in the browser.

This will allow uploading only for the right people:

If you add user_id or user_type to params as well, you can disable / enable download on onLoad Download.aspx

+2


source


The best way would be to add httphandlers and check if the requested file has special permissions or not, an example for what I said:

        using Microsoft.VisualBasic;
using System;
using System.Collections;
using System.Collections.Generic;
using System.Data;
using System.Diagnostics;

public class MyHTTPHandler : IHttpHandler, IRequiresSessionState
{

string myFile;
public bool IsReusable {
    get { return true; }
}

public void ProcessRequest(System.Web.HttpContext context)
{
    myFile = context.Request.Path;
    if (myFile.ToLower().Contains("members private files") || myFile.ToLower().Contains("members%20private%20files")) {
        if (System.Web.HttpContext.Current.Session["Login"] == null) {
            context.Response.Redirect("~/NotAuthorized.aspx");
        } else {
            if (myFile.ToLower().Contains("privatefiles")) {
                StartDownload(context, myFile);
            } else {
                if (IsMemberAuthoraizedToDownloadFile(context)) {
                    StartDownload(context, myFile);
                } else {
                    context.Response.Redirect("~/NotAuthorized.aspx");
                }
            }
        }
    } else {
        StartDownload(context, myFile);
    }
}

private void StartDownload(HttpContext context, string downloadFile)
{
    context.Response.Buffer = true;
    context.Response.Clear();
    context.Response.AddHeader("content-disposition", "attachment; filename=" + downloadFile);
    context.Response.ContentType = "application/pdf";
    context.Response.WriteFile(downloadFile);
}

// just my own function to check if user is valid

private bool IsMemberAuthoraizedToDownloadFile(HttpContext context)
{
    GroupMembersControl MyGroupMemberc = new GroupMembersControl();
    System.Collections.Generic.List<GroupMembers> MemberGroupsL = MyGroupMemberc.GetMemberGroups(System.Web.HttpContext.Current.Session["Login"]);
    MemberGroupControl MyGroupC = new MemberGroupControl();
    MemberGroup MyGroup = default(MemberGroup);
    foreach (GroupMembers groupmember in MemberGroupsL) {
        MyGroup = MyGroupC.GetMemberGroup(groupmember.GroupID);
        if (myFile.ToLower().Contains(MyGroup.Name.ToLower)) {
            return true;
        }
    }
    return false;
}
    }

      

+1


source


The following link provides details about authorization rules in iis and asp.net, this is similar to your question.

First, you want ASP.NET to handle the request for the specified file type. You can configure this in IIS (see link below).

Second, you will need to update your web.config to prevent anonymous users from fetching your url, assuming you are using rolemanager:

 <roleManager defaultProvider="SqlProvider" enabled="true" cacheRolesInCookie="false"     
   cookieName=".ASPROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false"  
   cookieSlidingExpiration="true" cookieProtection="All">
  <providers>
    <add name="SqlProvider" type="System.Web.Security.SqlRoleProvider" 
        connectionStringName="membership" applicationName="yourApplication"/>
  </providers>
</roleManager>



<location path="path/file.extension">
      <system.web>
      <authorization>
         <deny users="?"/>
       </authorization>
     </system.web>
   </location>

      

IIS 6 ignores Web.config authorization settings

+1


source


This guide explains how to protect your files from unauthorized downloads. Exactly what you are looking for:

http://www.magic-dev.com/files-protection.htm

-2


source







All Articles