Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to secure a link to be downloaded only by specific users?

Tags:

c#

security

asp.net

iis

authorization

I have the following case , and i wanna to ask what's the best solution ?

I have a specific file i wanna specific users(according to some permissions) to download this file .

so i show this file only for the authorized users, but what if someone(not authorized) recognize the file link(knows the link url) and download it !!

How to allow this file to be downloaded only by the authorized users .

like image 650
Anyname Donotcare Avatar asked Apr 02 '12 08:04

Anyname Donotcare

3 Answers

Put the file into a directory which is not served by the web server and implement a handler for the "virtual url" which in turn checks for permissions etc. - a possible way would be an ASHX handler (see here for sample code and here for MSDN reference).

like image 78
Yahia Avatar answered Oct 20 '22 01:10

Yahia

My answer would be: Dont use direct links!

Create a Download.aspx and have the links for downloads post to Download.aspx?params

The params should be encrypted/hashed containing the filepath+name to download and session_id.

On Download.aspx validate that the session_id is valid and active on the browser.

This should allow you to allow downloads to the correct folks only:

If you add to the params also the user_id or the user_type you can deny/permit download on the onLoad of Download.aspx

like image 23
Pedro Ferreira Avatar answered Oct 20 '22 00:10

Pedro Ferreira

The following link provides details on Authorization Rules in iis and asp.net, it seems pertinent to your question.

Firstly you want to ensure ASP.NET handles request for your specified file type. You can configure this in IIS (see link below).

Secondly, you will then need to update your web.config to deny anonymous users from reaching your url, providing that you are using rolemanager :

 <roleManager defaultProvider="SqlProvider" enabled="true" cacheRolesInCookie="false"     
   cookieName=".ASPROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false"  
   cookieSlidingExpiration="true" cookieProtection="All">
  <providers>
    <add name="SqlProvider" type="System.Web.Security.SqlRoleProvider" 
        connectionStringName="membership" applicationName="yourApplication"/>
  </providers>
</roleManager>



<location path="path/file.extension">
      <system.web>
      <authorization>
         <deny users="?"/>
       </authorization>
     </system.web>
   </location>

IIS 6 ignores Web.config authorization settings

like image 42
Shay Avatar answered Oct 19 '22 23:10

Shay
Sign in to Comment

Related questions

Conditional operator and Comparison Delegate
WinRT reason for disallowing custom generic types or interfaces
Get result of async method
Using EPPlus, I am trying to export a gridview to an Excel Sheet
Creating WCF service without .svc file
Overloading generic type parameters disallowed?
550 file unavailable error with FtpWebRequest class file upload. Works fine in FileZilla
DEVEXPRESS - xtrareport - page break
Something blocks my memory and the program hangs on GC.Collect() or GC.GetTotalAmountOfMemory(true)
Serialization of TestRunType throwing an exception [duplicate]
Why use singleton for application logging?
C# How can I paste formatted text from clipboard to the RichTextBox
Redirect After Login : Web.config
C# with MySQL through Connector/NET
transferring one object properties values to another one
Using unity interception to solve exception handling as a crosscutting concern
How to retrieve digital signature information (name, date, ...) with ItextSharp
Returning Json instead of XML with Umbraco Base
How to programmatically compile a c code from a c# code using mingw32-gcc compiler
Search longest pattern in byte array in C#

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!