Last post Jul 06, 2017 01:49 PM by hkbeer
Jul 05, 2017 08:42 AM|hkbeer|LINK
I have created an ASP.Net Web form site with user login.
I have made a pageload event in site.master to check if if (Request.IsAuthenticated) is false then
divert to login page so all pages if user is not log in then redirected to login page,
not able to see that current page stuff.
Now, my site has a Gridview listing name and hyperlink to the pdf inside my \image folder.
I have designed the page on page load to check user name and map it vs my sqldatasource to check if he is a super user.
If so, Gridview will show that list. If not, Gridview will return no rows.
Now Non-superusers are not able to see the Gridview rows as desired.
However, what if they can "Guess" the link and type the path and image name then they can have access.
What can I do simple to stop them from so doing ?
ie, now I secured the member page vs non-loggin users on page level, but on files level (pdf) etc they are not secured. Anyone coming to the site and type the path get access to that pdf....
Or maybe I am not making use of ASP.net correctly and there is a more generic way to make use of it ?
Is it we can make another web.config in image folder and deny access to non-login user ?
Any link to show full content of that web.config ?
Jul 06, 2017 06:44 AM|Zhi Lv - MSFT|LINK
now I secured the member page vs non-loggin users on page level, but on files level (pdf) etc they are not secured. Anyone coming to the site and type the path get access to that pdf....
From your description, I suggest you could make use of HttpHandler, which process the request depends on the resource’s extension. So it could be used to secure your files(such as PDF) on request level instead of the page level.
Please refer to the following code:
public class HandlerForFileAuth : IHttpHandler
public void ProcessRequest(HttpContext context)
context.Response.ContentType = "application/pdf";
string FileName = context.Server.MapPath(context.Request.FilePath);
HttpResponse response = context.Response;
HttpRequest request = context.Request;
public bool IsReusable
<!--handler for PDF Auth-->
<add name="PDFHandler" verb="*" path="*.pdf" type="[your namespace].HandlerForFileAuth" />
More about HttpHandler in ASP.NET, please refer to the following link:
If you have any other questions, please feel free to contact me any time.
Jul 06, 2017 01:49 PM|hkbeer|LINK
It works. Thanks a lot