Temporary file download link with ASP.NET

Question

I'd like to know how I can generate a temporary download address for my file for a limited time. I know that's not the best practice and probably using HttpHandlers is the way to go according to http://www.devx.com/codemag/Article/34535/1954
But I'm curious to know how I can use urlrewriting to generate a file name using a GUID or some other cryptic naming technique and make it available for a limited time.
I'd appreciate if anyone points me a good article about it.

Answer 1

Well first you need some form of identifier. You suggest a GUID and that's easily done, Guid.NewGuid().ToString("n") gives you such an identifier.

You talk of URI rewriting, but that's really just a bit of polish. You could certainly do some rewriting to turn /myFiles/a948ec43e5b743548fd9a77c462b953e into /myFiles/download.aspx?id=a948ec43e5b743548fd9a77c462b953e or even (after checking a look up table) into myFiles/download.aspx?id=3 or myFiles/download.aspx?fileName=myNewDownload.pdf. This is the same as any other URI rewriting task, so for now lets just ignore it and assume we've a request coming into /myFiles/download.aspx?id=a948ec43e5b743548fd9a77c462b953e whether that is due to rewriting or not.

Okay. You've got an identifier, you need to match this to three things: a stream, a content type and an expiry date.

You could store all of this in the file system, all of it in a database or the details in the database including a path to where the stream is stored as a file in the filesystem.

Lets say store it in the file system with names like:

a948ec43e5b743548fd9a77c462b953e.application_pdf and a5d360178ec14e97abd556ed4b7709cf.text_plain;charset=utf-8

Note that we aren't using normal windows file extensions, so we deal well with the case where the uploading machine had different bindings to your server.

In the case of a948ec43e5b743548fd9a77c462b953e being the item required we first look at the creation date and if it's too long ago (the file has expired), we send a 410 GONE header with an error message explaining the file has expired (we can also delete the file at this point to clean up usage - or perhaps truncate it so it remains a record that the file used to exist, but is 0bytes of storage).

Otherwise we set Response.ContentType to "application/pdf" and then Response.TransmitFile to send the file.

If we'd stored the stream a different way than as a file, we'd want to send it in small chunks (4096 nicely matches other buffers in other parts of the system) and in the case of it being very large call Response.Flush() periodically to prevent memory issues.

That's your basic system done. Niceties would include storing the original file name and sending it in a content-disposition header, and obeying Range requests so that a user can resume a failed download rather than have to start from the beginning.

All of this is pretty orthogonal to any authentication used to ensure only the correct person has the file - you could use it in tandem with a login system of whatever sort, or you could leave it public but time-limited.

Answer 2

Regardless of the ASP.NET framework you are using, I would favour an encrypted token which encrypts a file id (which I asume you have) and a DateTime which will can be decrypted back at server side and validated against its timestamp.

Here is a simplistic implementation:

    public static string GetDownloadToken(int fileId)
    {
        byte[] idbytes = BitConverter.GetBytes(fileId); // 4 bytes 
        byte[] dateTimeBytes = BitConverter.GetBytes(DateTime.Now.ToBinary()); // 8 bytes
        byte[] buffer = new byte[16]; // minimum for an encryption block 
        string password = "password";

        byte[] passwordBytes = Encoding.ASCII.GetBytes(password);
        Array.Copy(idbytes, 0, buffer, 0, idbytes.Length);
        Array.Copy(dateTimeBytes, 0, buffer, idbytes.Length, dateTimeBytes.Length);
        byte[] encryptedBuffer = new byte[256]; 
        using (SHA1CryptoServiceProvider sha1 = new SHA1CryptoServiceProvider())
        {
            int count = sha1.TransformBlock(buffer, 0, buffer.Length, encryptedBuffer, 0);
            return Convert.ToBase64String(encryptedBuffer, 0, count);
        }
    }