We have a requirement to allow a user to load a large (upto 100 meg word documents for example) document. 

We have a Enterprise Web Server call DRS (OnDemand) where these documents are stored.  Currently we use a stream to download the content and then send this content to the browser via CGI.  This causes problems when opening large documents, we either a a timeout error or outofmemory error.

 One way around this is to send the user directly to DRS (OnDemand) and view the document, the problem here is that their username and password has to be part of the querystring.

 Is it possible to mask the username and password so we are not sending this information from the client but from the Web Server?

 For Example:

http://server/app/Viewdoc.aspx?ID=1

This would translate to

http://DRSServer/ViewDoc.aspx?ID=1&UID=userid&PWD=password

Regards

 Paul

You could look at UrlRewriting but I'm not sure that would work when you've actually got to pass the url to the browser and change servers.

Another option might be to "span the streams" by reading a fixed buffer of bytes (256, 128, or whatever size suits you) and passing that from your DRS input stream to the Response.Output stream until you've exhausted your input stream.

 No, it's not possible to mask a URL. That's an important aspect of general web security.

 Stiletto's stream idea is good and can help a lot. Basically, relay the stream, piece by piece, instead of loading the entire document from the DRS before sending it further.

Can you make modifications on the DRS server? Can the servers access a shared database (or some other kind of storage)? If so, you could store the information needed for proper authentication (possibly both username and password, but perhaps you won't need that) in a table, together with a freshly baked GUID (Guid.NewGuid()). Send the GUID in the querystring instead of the userid and password, and remove the issued GUIDs from the table after they have been used.