Protecting PDFs with Forms Authentication?

M

Mike Kingscott

Hi there,

I'm writing an app in which a punter buys some PDFs online. After
purchasing said PDFs, they will be given a token (bless them Guids) to
go to a download .ASPX page from which they can download the PDFs.

I'm planning to use Forms Authentication to protect the .ASPX page
which gives them the list of PDFs they can download (driven by the
token, which will be their order number or similar). The page will
also only allow 10 loads and the list of PDFs will only be available
for 24 hours to cut down on other people obtaining the PDFs.

And there's the rub: for the PDFs to be downloaded from the site, they
have to exist in the site. And if that's the case, what's to prevent
people figuring out (right-click, view properties of the hyperlink)
the URL of the PDF and going directly to the PDFs? I was hoping that
Forms Authentication would protect all files in a folder, but it
appears not to do so - I directly download a PDF file in a folder
protected by Forms Authentication, guess it only works for .aspx
files?

So, does anyone have any suggestions? I did think about creating a
separate folder for each order (i.e. each Guid), and then copying the
PDFs into that, but the files are quite large, and then a job on the
server would have to run each day to wipe old folders, etc.

Yours in hope,

Mike Kingscott
 
R

Raterus

I believe all you need to do is to configure your IIS App Mappings under Home Directory/ Application Settings/ Configuration to route requests for .pdf's through aspnet_isapi.dll. Forms authentication should pick up on the requests then, and allow/deny them access accordingly.

--Michael
 
P

Patrice

They have not necessarily to be on the site. A web page could rread this
file from another locartion and stream its content to the browser (see the
Response.WriteFile method).

Patrice
 
M

Mike Kingscott

Guys, thanks very much for the speedy response. At the moment, I've
gone for protecting the file via the aspnet_isapi.dll method, and it
works just dandy. As for using the Repsonse.WriteFile method, I may
have to try that as well, just for extra security, but I'm wondering
if it would work for a right-click Save As... command? Ah well,
something to play with when I have time ;-)

Thanks again,

Mike Kingscott
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top