ASP.NET failing to make folder not accessible

Question

I have a C# Webform application.

It contains a Report folder inside it Which contain some pdf files.

My application will show these reports on demand.

But I do not want someone to access these by typing the direct url

Eg: www.abc.com/Reports/a.pdf

I created the following Web.config inside the report folder:

<configuration>
<system.web>
            <authorization>
                <deny users="?" />                
            </authorization>
</system.web>
</configuration>

Still, when testing I can access pdf files directly.

Also per business rules, I cannot use Form Authentication.

Answer 1

<system.web> controls configuration of the ASP.NET pipeline, not IIS. If you're running under IIS then ASP.NET will not be invoked for static file requests, such as the PDF file you mentioned.

To deny those requests use <system.webServer> instead. See this QA: How to make IIS7 stop serving a folder?

<configuration>
   <system.webServer>
        <security>
            <requestFiltering>
               <hiddenSegments>
                   <add segment="My_Directory" />
               </hiddenSegments>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

Note that <system.webServer> requires IIS7 or later (Windows Server 2008). If you're running IIS6 (Windows Server 2003 or Windows XP) then this won't work.