通过WCF生成文件，通过具有访问权限验证的ASP.NET下载

Question

I need to implement a operation in which the user requests a file which takes sometime to be generated ( 2 - 4 minutes). After that, the user needs to download the file, preferentially through ASP.NET ( to make use of the browser download facility). Only the specified user can download this file.

Here is how i tried to do it:

First, I built a duplex wcf service. The user calls it with the data it needs and then it starts the file generation, notifying the progress through the callback channel. In the end, the service is supposed to send to the user a url, token which he will use to download the file. This part works fine.

I saved the file to a temp folder in the asp_data folder, to prevent it from being accessed directly. Then I created a aspx page to receive the token ( whatever it is), validate it against the current user, the defined expiration, and replace the response with the file.

Then the things got messy. I do not know the right way to generate the token through WCF, return it to the client and use it the access the download page. I tried two different approaches, but I think I'm giving up on both:

• Generate a guid for the file, encrypt it inside a FormsAuthenticationTicket (with the user information and expiration) and send it to the client. The client then uses the ticket encrypted string as the token to the download page, which validates the user in the ticket against the current one , check the expiration, extracts the guid and sends the file back. The problem is that the generated encrypted string gets really big, unusable in a url.

• Generate a guid for the file, save it in ticket ( with validation data and the path to the file) in the httpcontext session. the wcf service then passes the guid to the client, who uses it to access the download page. The download page checks the session, retrieves the ticket, serves the file. The problem is I'm having some trouble acessing the session in the WCF operation. The user requests the file, the server starts a thread to generate the file and make the callback calls, so the first server call returns (nothing). When I've finish generating the file with success, the callback thread tries to access the session, save the ticket and return the guid to the user in a 'FinishOperationXXX' callback. I cant access the session, though, because it seems to be no longer available to the callback thread.

I don't want to use a database to do this, and I'm trying to avoid downloading the file throught the WCF itself, but I need to get this working. I guess I'll manage to do it somehow, but I wonder:

Am I doing this the hard way? Do anyone have a clue about implementing something alike?

Answer 1

Why do you need encryption and a FormsAuthenticationTicket?

Wouldn't it work well enough to just name the file with the type of file, user's userid and a timestamp (filetype_userid_timestamp.ext) and only allow users to download files that contain their userid in the middle field?

(type of file being different for each page doing this in case you had more than one...)

Authentication for the user should already be handled by the session right?