Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

asp.net media protection

Does anyone know a good practice of securing media for asp.net?

I need to host a variety of media that require permission to a view a specific image/video. i.e. a specific user may or may not have permission to view a media file - and this fact may be changed on the fly.

I don't care if they can download a media file that they have access to, I just don't want them to even be aware of items they should not have access to.

I've already considered url obfuscation - this seems quite lame to me.

I have form authenticated users (and I'm not willing to change this).

I would like to keep the media file folder structure unrelated to permissions.

like image 817
mson Avatar asked Jan 21 '09 18:01

mson


3 Answers

Build an HttpHandler that all media must be accessed through. Then, prior to retrieving the file and sending it down to the user, you can perform any validations that you'd like. Keep all of your media outside of the main wwwroot path, or deny access to that folder using permissions.

More info on this topic here:

http://www.15seconds.com/Issue/020417.htm

like image 108
Lusid Avatar answered Nov 12 '22 00:11

Lusid


I use an xml file like this to set which users/groups have access to a file

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root[
    <!ELEMENT file ANY>
    <!ATTLIST file name ID #REQUIRED>
]>
<root>
    <file name="file.doc" users="155,321" groups="grp5" />
    <file name="file2.doc" users="321" groups="" />
</root>

files are stored above http root so they cannot be accessed by URL.

When a user tries to access GetFile.aspx?file=file.doc I load the XML, get the line with

XmlNode xnFile= XML.GetElementById(wantedFile);

, then I call a function

 HasAccess(Context.User, xnFile); 

Which checks if the user is logged in and compares the permissions, and if it is ok for this user to have the file, I read the files from disk and write them out with

FileInfo thisFile = new FileInfo(secretLocation + wantedFile);
Response.Clear();
Response.Buffer = false;
Response.BufferOutput = false;
Response.ClearContent();
Response.ClearHeaders();
Response.AddHeader("Content-Length", thisFile.Length.ToString());
Response.AddHeader("Content-disposition", "filename=" + thisFile.Name);
Response.ContentType = "application/none";
Response.WriteFile(secretLocation + wantedFile);
Response.Close();
Response.End();
Response.ClearContent();
Response.ClearHeaders();

Actually now I have more than a thousand files, and I think of writing the file data to the database as the XML got corrupted twice in 5 years, probably due to crashes or simultaneous use.

like image 42
Spikolynn Avatar answered Nov 12 '22 00:11

Spikolynn


From your comment in the Spikolynn answer

I'm puzzled - how is this different than obfuscation? Would an authenticated user be able to share an image (which they are authorized for) with another authenticated but unauthorized user?

I guess that you try to prevent unauthorized sharing of media.

This is something a lot of companies (Microsoft, Apple, IBM, etc) have put considerable amount of money to solve. The solution was DRM, and now they are removing it, because it failed.

So, my answer is that you can not prevent sharing if the user is willing to put some effort to avoid it.

You can just keep the honest people honest by applying some techniques as Spikolynn or Lusid explain in their answers.

like image 39
Eduardo Molteni Avatar answered Nov 11 '22 23:11

Eduardo Molteni