stackoom
  简体   繁体   中英

How to protect direct file access

 原文  2014-03-25 20:42:20       c#/ asp.net/ iis-7

Question

I am building a webform application that only logged user can see certain pages.

Those pages contains links to several files, but once users know the full url (ex: " http://mywebsite.com/files/readme.txt ") they can access it any where any time without having to logged-in.

I use my custom authentication, I am not using asp.net provided security.

How can I prevent such problem, I am using asp.net C# 4.5 webform application, my hosting provider using IIS 7

2 answers

solution1
 0  2014-03-25 20:47:03

Don't provide direct links to the files. Create a new page called GetFile.aspx?id=1 and have the page retrieve the files. That way the user never knows or has direct access to the files on your server. This way you can change security on the folder where your files exist so only the web server can access them directly.

Change your links on the page to be:

<a href="GetFile.aspx?id=1">Click here for read me file</a>

Example of how to download a file from asp.net: 

public void DownloadFile(string fileName)
{
    Response.Clear();
    Response.ContentType = @"application\octet-stream";
    System.IO.FileInfo file = new System.IO.FileInfo(Server.MapPath(FileName));
    Response.AddHeader("Content-Disposition", "attachment; filename=" + file.Name);
    Response.AddHeader("Content-Length", file.Length.ToString());
    Response.ContentType = "application/octet-stream";
    Response.WriteFile(file.FullName);
    Response.Flush();
}

Code example taken from this question: Open any file from asp.net

solution2
 0  2014-03-25 21:13:29

Are you using any of the authentication schemes that provide ASP.Net (Windows,Forms,Passport)?

If yes, you could add to your Web.config file a 'location' section in which you can restrict the access for non-logged users to your file repository, something like this (based on your example): 

<configuration>
  <location path="files">
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>
</configuration>

In this case it doesn't matter if the user knows the full url address because it will not be available if it is offline

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Sitecore: how to bypass MVC routing to allow direct access to a file/folder? How do I disallow download file through direct url access? How to protect WinForms app from direct-SQL How to Protect My Configuration File How to access Direct Manipulation interfaces Restrict direct file access of our attachment folder How to protect a *.sdf (sqlCE file) with a password How to protect SqlLocalDB database file with custom password How to keep/protect a file from being modified? How to protect methods with Password in .net dll file?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM