Forms authentication doesn't work for downloads

Discussion in 'ASP .Net Security' started by Peter Afonin, Nov 23, 2004.

  1. Peter Afonin

    Peter Afonin Guest

    Hello,

    I'm using Forms authentication, and it works well. If user is not
    authenticated, he is routed to the login page.

    However, this doesn't work for downloads. If I have a file located in the
    restricted area and put a direct link to it - anyone can download it.

    Why is this? I expected that people would also be routed to the login
    screen. How to make this happen?

    I would appreciate your help.

    Thank you,

    --
    Peter Afonin
    Peter Afonin, Nov 23, 2004
    #1
    1. Advertising

  2. Forms authentication is handled by the framework - thus you likely need to
    pass that type of file through the asp.net handler by mapping it in IIS...

    --
    Regards

    John Timney
    ASP.NET MVP
    Microsoft Regional Director

    "Peter Afonin" <> wrote in message
    news:%...
    > Hello,
    >
    > I'm using Forms authentication, and it works well. If user is not
    > authenticated, he is routed to the login page.
    >
    > However, this doesn't work for downloads. If I have a file located in the
    > restricted area and put a direct link to it - anyone can download it.
    >
    > Why is this? I expected that people would also be routed to the login
    > screen. How to make this happen?
    >
    > I would appreciate your help.
    >
    > Thank you,
    >
    > --
    > Peter Afonin
    >
    >
    John Timney \(ASP.NET MVP\), Nov 23, 2004
    #2
    1. Advertising

  3. Peter Afonin

    Teemu Keiski Guest

    Forms Auth works only for those pages/file/resources which are processed by
    ASP.NET by default. That is aspx,asmx, config and such. You can tweak that
    in IIS (See Applications configuration for different file extensions like
    where aspx is mapped to aspnet_isapi.dll) by having the custom file
    extension mapped for aspnet_isapi.dll

    See this blog post for detailed explanations:

    Protect PDF, DOC and other file types with Forms Authentication
    http://dotnetjunkies.com/WebLog/richard.dudley/archive/2004/05/21/14215.aspx

    --
    Teemu Keiski
    MCP, Microsoft MVP (ASP.NET), AspInsider
    ASP.NET Forum Moderator, AspAlliance Columnist
    http://blogs.aspadvice.com/joteke



    "Peter Afonin" <> wrote in message
    news:%...
    > Hello,
    >
    > I'm using Forms authentication, and it works well. If user is not
    > authenticated, he is routed to the login page.Protect PDF, DOC and other

    file types with Forms Authentication
    >
    > However, this doesn't work for downloads. If I have a file located in the
    > restricted area and put a direct link to it - anyone can download it.
    >
    > Why is this? I expected that people would also be routed to the login
    > screen. How to make this happen?
    >
    > I would appreciate your help.
    >
    > Thank you,
    >
    > --
    > Peter Afonin
    >
    >
    Teemu Keiski, Nov 23, 2004
    #3
  4. Peter Afonin

    Peter Afonin Guest

    Thank you very much for your explanations!

    Peter

    "Teemu Keiski" <> wrote in message
    news:%...
    > Forms Auth works only for those pages/file/resources which are processed

    by
    > ASP.NET by default. That is aspx,asmx, config and such. You can tweak that
    > in IIS (See Applications configuration for different file extensions like
    > where aspx is mapped to aspnet_isapi.dll) by having the custom file
    > extension mapped for aspnet_isapi.dll
    >
    > See this blog post for detailed explanations:
    >
    > Protect PDF, DOC and other file types with Forms Authentication
    >

    http://dotnetjunkies.com/WebLog/richard.dudley/archive/2004/05/21/14215.aspx
    >
    > --
    > Teemu Keiski
    > MCP, Microsoft MVP (ASP.NET), AspInsider
    > ASP.NET Forum Moderator, AspAlliance Columnist
    > http://blogs.aspadvice.com/joteke
    >
    >
    >
    > "Peter Afonin" <> wrote in message
    > news:%...
    > > Hello,
    > >
    > > I'm using Forms authentication, and it works well. If user is not
    > > authenticated, he is routed to the login page.Protect PDF, DOC and other

    > file types with Forms Authentication
    > >
    > > However, this doesn't work for downloads. If I have a file located in

    the
    > > restricted area and put a direct link to it - anyone can download it.
    > >
    > > Why is this? I expected that people would also be routed to the login
    > > screen. How to make this happen?
    > >
    > > I would appreciate your help.
    > >
    > > Thank you,
    > >
    > > --
    > > Peter Afonin
    > >
    > >

    >
    >
    Peter Afonin, Nov 23, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark MacRae

    Forms Authentication timeout doesn't work

    Mark MacRae, Aug 6, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    531
    Mark MacRae
    Aug 6, 2003
  2. Eric
    Replies:
    2
    Views:
    1,389
    Tommy
    Feb 13, 2004
  3. www.MSmobiles.com
    Replies:
    1
    Views:
    1,500
    www.MSmobiles.com
    Jul 18, 2004
  4. Peter Afonin
    Replies:
    3
    Views:
    463
    Peter Afonin
    Nov 23, 2004
  5. Eric
    Replies:
    2
    Views:
    463
Loading...

Share This Page