Last post Feb 01, 2017 10:20 PM by progmgpaspnet
Jan 31, 2017 04:19 AM|progmgpaspnet|LINK
I need your advice.
In the past I have just created an 'Images' folder and put static content there. However, I'm wanting to do things a little more securely.
For instance, if I have an image I use in a page that CSS uses for a background, currently all a user has to do is type the url and add '/images/img1.jpg' to access that file. If it was a document it could be downloaded. If it was something more sensitive(what
and why, IDK just an example), I could have a real issue.
I have read that I could use App_Data. However, I have also read that using the App_Data folder for images is not a good idea(why, IDK). I personally feel that static data is not what App_Data is purposed for, but rather items such as a DB. I also had an
issue with CSS not seeing the images either.
I also read that I should use httphandlers, sounds like a great idea. But I wonder what latency that adds to the site. Also, I have not yet gotten this to work. I think I can using some code examples. But should I head down that road just to protect a folder?
I also know that using <URLMapping> in web.config only allows for individual files, not folders. Clarification on this would true be appreciated.
I have also read of the fall back of putting the Static content folder outside the app. I have never liked this. When I publish the site I do not want to worry about moving items other than the app or dealing with path issues.
Forms authentication is nice, but I can't remember if it affects the CSS if I deny everyone. Or even if it stops the URL entry into the folder when it concerns image files.
I am looking for your insight and thoughts.
Thank You Very Much.
Feb 01, 2017 09:12 AM|Cathy Zou|LINK
From your long description, it is hard for us to get the point of your problem.
So, I suggest you could list your problem(e.g 1,2,3) so that I could understand your problem easily.
Then I could give my answer based on the list you listed.
Feb 01, 2017 10:20 PM|progmgpaspnet|LINK
Thank you Cathy for your response. I'm sorry for the lack of clarity. I tend to ramble, especially when I get so tired.
So really, I'm looking for the insight, from experienced developers, on securing folders in a web forms application. I was wanting to provide my thoughts on different methods for those considering an answer. But here are my wants, I will
leave it to the experienced to provide their thoughts.
1) I do not want a user to just be able to type in a url and get a file to download or an image that I may want to watermark before downloading or viewing. Images and download folders should not be served up to the browser. Forms authentication on folders
is great but does not handle this kind of issue.
2) I would still like some static content reachable by CSS. This may not be possible if the content is not provided to the browser.
3) I would rather keep all project content within the Project for ease of deployment. Many have said keep folders out of server paths.
4) Some suggest using the App_Data Folders. But some say that's not the folder's purpose and you would still need use of handlers.
5) I would like to learn to use Httphandlers and HttpModules but so far have unsuccessfully followed examples. Would the extra request processing make a sight sluggish?
list your problem(e.g 1,2,3)