Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to secure a link to be downloaded only by specific users?

I have the following case , and i wanna to ask what's the best solution ?

I have a specific file i wanna specific users(according to some permissions) to download this file .

so i show this file only for the authorized users, but what if someone(not authorized) recognize the file link(knows the link url) and download it !!

How to allow this file to be downloaded only by the authorized users .

like image 650
Anyname Donotcare Avatar asked Apr 02 '12 08:04

Anyname Donotcare


3 Answers

Put the file into a directory which is not served by the web server and implement a handler for the "virtual url" which in turn checks for permissions etc. - a possible way would be an ASHX handler (see here for sample code and here for MSDN reference).

like image 78
Yahia Avatar answered Oct 20 '22 01:10

Yahia


My answer would be: Dont use direct links!

Create a Download.aspx and have the links for downloads post to Download.aspx?params

The params should be encrypted/hashed containing the filepath+name to download and session_id.

On Download.aspx validate that the session_id is valid and active on the browser.

This should allow you to allow downloads to the correct folks only:

If you add to the params also the user_id or the user_type you can deny/permit download on the onLoad of Download.aspx

like image 23
Pedro Ferreira Avatar answered Oct 20 '22 00:10

Pedro Ferreira


The following link provides details on Authorization Rules in iis and asp.net, it seems pertinent to your question.

Firstly you want to ensure ASP.NET handles request for your specified file type. You can configure this in IIS (see link below).

Secondly, you will then need to update your web.config to deny anonymous users from reaching your url, providing that you are using rolemanager :

 <roleManager defaultProvider="SqlProvider" enabled="true" cacheRolesInCookie="false"     
   cookieName=".ASPROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false"  
   cookieSlidingExpiration="true" cookieProtection="All">
  <providers>
    <add name="SqlProvider" type="System.Web.Security.SqlRoleProvider" 
        connectionStringName="membership" applicationName="yourApplication"/>
  </providers>
</roleManager>



<location path="path/file.extension">
      <system.web>
      <authorization>
         <deny users="?"/>
       </authorization>
     </system.web>
   </location>

IIS 6 ignores Web.config authorization settings

like image 42
Shay Avatar answered Oct 19 '22 23:10

Shay