In my virutal directory,there is a subdirectory ,which holds some files that allow others to download,but if one want to download the file ,he must login first.after that ,he can use my programe to query the file and find it ,then download it .but if he knows
the file Url,he can bybass the process.for example ,one of my file living in "File" subdirectory,with the name is file1.doc.he can download by send the request http://myserver/file/file1.doc ,then the file file1.doc will be downloaded by him. I add a section
in my web.config file .it likes this: when someone want to get the file in Files directory,the class CheckSession will checck him if he has the right to do .but the class doesn't work. and i find ,if i take a aspx file in the directory,it works well. buy why
?who can help me ? thank you!
The "problem" is that you're living inside the sandbox of ASP.NET. Let me explain. ASP.NET is a registered ISAPI on the IIS server. Such an ISAPI adds functionality to the server and is used by technologies such as ASP, ASP.NET. ISAPI's are associated with
file extensions inside the configuration of IIS. For ASP.NET, extensions such as .aspx, .config, .cs, .asmx, .vb, .resx, .ascx, .axd, etc are registered. This means that whenever the server receives a request for a file with these extensions, the request is
routed to the ASP.NET ISAPI that will continue with the processing. Other extensions are sent to other ISAPI's or - if there is no mapping for the extension - handled by IIS itself. This is the case for .doc extensions for example. The .doc extension isn't
mapped to anything inside IIS thus IIS will handle it itself, that is by sending the file to the client upon a request. So, in one quote that fits it all: "ASP.NET simply doesn't receive the request for that file and thus ASP.NET can not manipulate the request/response
flow for the file". The way to solve it is by changing the configuration of IIS and mapping that particular file to the ASP.NET runtime (aspnet_isapi.dll) which is a task for the server administration (in help files, look for ISAPI) but it's pretty straight
forward to do. If you can't change the configuration of the web server yourself (or your hosting provider or server admin denies this) you can use the following trick: - The ".resources" extension is registered for ASP.NET and is mapped inside ASP.NET on a
special HttpHandler that denies web requests to obtain these files (just like you can't download the web.config file, try it over here:
My Web.Config file). This mapping is done inside machine.config on the server:
- Rename all the files that need protection by adding the .resources extension to it (e.g. somefile.doc becomes somefile.doc.resources) - User's won't be able to request these files directly. However, if a user is logged in, he should be able to do so. This
can be done as follows: 1. Create a download.aspx page that takes a parameter that points to the requested file in some way (e.g. download.aspx?file=somefile.doc, or download.aspx?file=12345 where 12345 is some ID stored in the database as a mapping to the
file name, or yet another mechanism can be used) 2. This file is protected (using your HttpHandler for example that hooks in into the processing flow for the .aspx in question to check the session). Another (more straight-forward) way to protect it is by using
inside web.config, eventually in combination with the tag (that points to the download.aspx file). 3. Inside the file, you can implement two different approaches: a. If you want to handle the download yourself, you can stream the file back to the client inside
ASP.NET. Basically, the code looks as follows:
Response.ContentType = "the_type"; //e.g. text/plain, application/ms-word
Response.AddHeader("Content-Disposition", "attachment;filename=" + filename); //replace filename with the name you want to be displayed client-side
Response.BinaryWrite(...); //flush the file to the client (binary) based on the local location of the file on the server (i.e. file with the .resources extension)
Make sure that you don't have other data in the .aspx that can mess up the response. The page should only contain server-side code (code-behind or embedded). This approach has the advantage that you have complete control over the process and that you can even
extend the security so that the database contains mappings of files to users (e.g. to prohibit normal users to download the human resources file but to grant access to these files for the human resources people). The disadvantage is that you have to do the
streaming yourself, something which can be better done on a higher level (i.e. IIS) for optimal performance (and to limit the possible problems you can have). b. Based on the user's session, create a subfolder in the webfolder where you copy the requested
files to and then redirect the user to that location. E.g. create a subfolder called "A138DBESHUJEORFKJJKL101032" (retrieved from the user's session ID or so, make sure it's unique anyway), copy the .resources file to that location but drop the .resources
extension (the somefile.doc.resources becomes somefile.doc) and Response.Redirect to the file (which is now unprotected). Advantage: IIS takes control over the streaming (and you still can control the access to the files inside download.aspx). The disadvantages
are that you'll have to do copying inside ASP.NET (requires a raise of the security on the web folders to grant ASP.NET processes full access), you'll have to do clean-up (can be done through global.asax when the session expires; but files will remain there
if the session does not expire in ASP.NET, e.g. because of application pool recycling, server restart, etc), you need quite some space if the site is going to be used heavily and if the user's session is hijacked the file is still accessible. I recommend solution
3a. Hope this (quite extensive) explanation will help you to create a great solution for the problem.
great answer to problem.yet what i am making is solution 3(b) as required by client. so i want to know if i add simple name likea.doc is there is need to add below cdode in web.config file.
Liu_andi
Member
475 Points
109 Posts
how to protect my file.
Sep 15, 2004 07:26 AM|LINK
bdesmet
Star
8255 Points
1651 Posts
Re: how to protect my file.
Sep 15, 2004 08:02 AM|LINK
Response.ContentType = "the_type"; //e.g. text/plain, application/ms-word Response.AddHeader("Content-Disposition", "attachment;filename=" + filename); //replace filename with the name you want to be displayed client-side Response.BinaryWrite(...); //flush the file to the client (binary) based on the local location of the file on the server (i.e. file with the .resources extension)Make sure that you don't have other data in the .aspx that can mess up the response. The page should only contain server-side code (code-behind or embedded). This approach has the advantage that you have complete control over the process and that you can even extend the security so that the database contains mappings of files to users (e.g. to prohibit normal users to download the human resources file but to grant access to these files for the human resources people). The disadvantage is that you have to do the streaming yourself, something which can be better done on a higher level (i.e. IIS) for optimal performance (and to limit the possible problems you can have). b. Based on the user's session, create a subfolder in the webfolder where you copy the requested files to and then redirect the user to that location. E.g. create a subfolder called "A138DBESHUJEORFKJJKL101032" (retrieved from the user's session ID or so, make sure it's unique anyway), copy the .resources file to that location but drop the .resources extension (the somefile.doc.resources becomes somefile.doc) and Response.Redirect to the file (which is now unprotected). Advantage: IIS takes control over the streaming (and you still can control the access to the files inside download.aspx). The disadvantages are that you'll have to do copying inside ASP.NET (requires a raise of the security on the web folders to grant ASP.NET processes full access), you'll have to do clean-up (can be done through global.asax when the session expires; but files will remain there if the session does not expire in ASP.NET, e.g. because of application pool recycling, server restart, etc), you need quite some space if the site is going to be used heavily and if the user's session is hijacked the file is still accessible. I recommend solution 3a. Hope this (quite extensive) explanation will help you to create a great solution for the problem.Visit www.msdn.be, www.bartdesmet.net
Liu_andi
Member
475 Points
109 Posts
Re: how to protect my file.
Sep 15, 2004 08:11 AM|LINK
bdesmet
Star
8255 Points
1651 Posts
Re: how to protect my file.
Sep 15, 2004 08:13 AM|LINK
Visit www.msdn.be, www.bartdesmet.net
munishbhatia
Participant
1262 Points
351 Posts
Re: how to protect my file.
Jun 18, 2007 07:44 AM|LINK
great answer to problem.yet what i am making is solution 3(b) as required by client. so i want to know if i add simple name likea.doc is there is need to add below cdode in web.config file.
<httpHandlers>
<add verb="*" path="*.resources" type="System.Web.HttpForbiddenHandler" />
</httpHandlers>
my problem is user must redirect to his username matching directory from where he can download any of his file, but others should not if copy URL.
Help me soon
regards,