I have created an ASP.Net Web form site with user login.
I have made a pageload event in site.master to check if if (Request.IsAuthenticated) is false then
divert to login page so all pages if user is not log in then redirected to login page,
not able to see that current page stuff.
Now, my site has a Gridview listing name and hyperlink to the pdf inside my \image folder.
I have designed the page on page load to check user name and map it vs my sqldatasource to check if he is a super user.
If so, Gridview will show that list. If not, Gridview will return no rows.
Now Non-superusers are not able to see the Gridview rows as desired.
However, what if they can "Guess" the link and type the path and image name then they can have access.
What can I do simple to stop them from so doing ?
ie, now I secured the member page vs non-loggin users on page level, but on files level (pdf) etc they are not secured. Anyone coming to the site and type the path get access to that pdf....
Or maybe I am not making use of ASP.net correctly and there is a more generic way to make use of it ?
Is it we can make another web.config in image folder and deny access to non-login user ?
Any link to show full content of that web.config ?
Please help..
Thanks
Thanks. I will try to credit the ones who helped but most important is we really do sincerely thanks to all who have helped.
now I secured the member page vs non-loggin users on page level, but on files level (pdf) etc they are not secured. Anyone coming to the site and type the path get access to that pdf....
From your description, I suggest you could make use of HttpHandler, which process the request depends on the resource’s extension. So it could be used to secure your files(such as PDF) on request level instead of the page level.
Please refer to the following code:
HandlerForFileAuth.ashx:
public class HandlerForFileAuth : IHttpHandler
{
public void ProcessRequest(HttpContext context)
{
context.Response.ContentType = "application/pdf";
string FileName = context.Server.MapPath(context.Request.FilePath);
HttpResponse response = context.Response;
HttpRequest request = context.Request;
if (request.IsAuthenticated)
{
context.Response.WriteFile(FileName);
}
else
{
response.Redirect("~/Login.aspx");
}
}
public bool IsReusable
{
get
{
return false;
}
}
}
Web.config:
<system.webServer>
<handlers>
<!--handler for PDF Auth-->
<add name="PDFHandler" verb="*" path="*.pdf" type="[your namespace].HandlerForFileAuth" />
</handlers>
</system.webServer>
More about HttpHandler in ASP.NET, please refer to the following link:
If you have any other questions, please feel free to contact me any time.
Best Regards,
Dillion
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
Participant
753 Points
2406 Posts
How to control access to resource on my ASP.Net
Jul 05, 2017 08:42 AM|hkbeer|LINK
I have created an ASP.Net Web form site with user login.
I have made a pageload event in site.master to check if if (Request.IsAuthenticated) is false then
divert to login page so all pages if user is not log in then redirected to login page,
not able to see that current page stuff.
Now, my site has a Gridview listing name and hyperlink to the pdf inside my \image folder.
I have designed the page on page load to check user name and map it vs my sqldatasource to check if he is a super user.
If so, Gridview will show that list. If not, Gridview will return no rows.
Now Non-superusers are not able to see the Gridview rows as desired.
However, what if they can "Guess" the link and type the path and image name then they can have access.
What can I do simple to stop them from so doing ?
ie, now I secured the member page vs non-loggin users on page level, but on files level (pdf) etc they are not secured. Anyone coming to the site and type the path get access to that pdf....
Or maybe I am not making use of ASP.net correctly and there is a more generic way to make use of it ?
Is it we can make another web.config in image folder and deny access to non-login user ?
Any link to show full content of that web.config ?
Please help..
Thanks
www.developerfusion.com/tools/convert/csharp-to-vb/
All-Star
45479 Points
7008 Posts
Microsoft
Re: How to control access to resource on my ASP.Net
Jul 06, 2017 06:44 AM|Zhi Lv - MSFT|LINK
Hi hkbeer,
From your description, I suggest you could make use of HttpHandler, which process the request depends on the resource’s extension. So it could be used to secure your files(such as PDF) on request level instead of the page level.
Please refer to the following code:
HandlerForFileAuth.ashx:
public class HandlerForFileAuth : IHttpHandler { public void ProcessRequest(HttpContext context) { context.Response.ContentType = "application/pdf"; string FileName = context.Server.MapPath(context.Request.FilePath); HttpResponse response = context.Response; HttpRequest request = context.Request; if (request.IsAuthenticated) { context.Response.WriteFile(FileName); } else { response.Redirect("~/Login.aspx"); } } public bool IsReusable { get { return false; } } }Web.config:
<system.webServer> <handlers> <!--handler for PDF Auth--> <add name="PDFHandler" verb="*" path="*.pdf" type="[your namespace].HandlerForFileAuth" /> </handlers> </system.webServer>More about HttpHandler in ASP.NET, please refer to the following link:
https://msdn.microsoft.com/en-us/library/bb398986.aspx
If you have any other questions, please feel free to contact me any time.
Best Regards,
Dillion
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
Participant
753 Points
2406 Posts
Re: How to control access to resource on my ASP.Net
Jul 06, 2017 01:49 PM|hkbeer|LINK
It works. Thanks a lot
www.developerfusion.com/tools/convert/csharp-to-vb/