Protecting PDFs with Forms Authentication?

Discussion in 'ASP .Net' started by Mike Kingscott, Jun 21, 2004.

  1. Hi there,

    I'm writing an app in which a punter buys some PDFs online. After
    purchasing said PDFs, they will be given a token (bless them Guids) to
    go to a download .ASPX page from which they can download the PDFs.

    I'm planning to use Forms Authentication to protect the .ASPX page
    which gives them the list of PDFs they can download (driven by the
    token, which will be their order number or similar). The page will
    also only allow 10 loads and the list of PDFs will only be available
    for 24 hours to cut down on other people obtaining the PDFs.

    And there's the rub: for the PDFs to be downloaded from the site, they
    have to exist in the site. And if that's the case, what's to prevent
    people figuring out (right-click, view properties of the hyperlink)
    the URL of the PDF and going directly to the PDFs? I was hoping that
    Forms Authentication would protect all files in a folder, but it
    appears not to do so - I directly download a PDF file in a folder
    protected by Forms Authentication, guess it only works for .aspx
    files?

    So, does anyone have any suggestions? I did think about creating a
    separate folder for each order (i.e. each Guid), and then copying the
    PDFs into that, but the files are quite large, and then a job on the
    server would have to run each day to wipe old folders, etc.

    Yours in hope,

    Mike Kingscott
     
    Mike Kingscott, Jun 21, 2004
    #1
    1. Advertising

  2. Mike Kingscott

    Raterus Guest

    I believe all you need to do is to configure your IIS App Mappings under Home Directory/ Application Settings/ Configuration to route requests for .pdf's through aspnet_isapi.dll. Forms authentication should pick up on the requests then, and allow/deny them access accordingly.

    --Michael

    "Mike Kingscott" <9.co.uk> wrote in message news:...
    > Hi there,
    >
    > I'm writing an app in which a punter buys some PDFs online. After
    > purchasing said PDFs, they will be given a token (bless them Guids) to
    > go to a download .ASPX page from which they can download the PDFs.
    >
    > I'm planning to use Forms Authentication to protect the .ASPX page
    > which gives them the list of PDFs they can download (driven by the
    > token, which will be their order number or similar). The page will
    > also only allow 10 loads and the list of PDFs will only be available
    > for 24 hours to cut down on other people obtaining the PDFs.
    >
    > And there's the rub: for the PDFs to be downloaded from the site, they
    > have to exist in the site. And if that's the case, what's to prevent
    > people figuring out (right-click, view properties of the hyperlink)
    > the URL of the PDF and going directly to the PDFs? I was hoping that
    > Forms Authentication would protect all files in a folder, but it
    > appears not to do so - I directly download a PDF file in a folder
    > protected by Forms Authentication, guess it only works for .aspx
    > files?
    >
    > So, does anyone have any suggestions? I did think about creating a
    > separate folder for each order (i.e. each Guid), and then copying the
    > PDFs into that, but the files are quite large, and then a job on the
    > server would have to run each day to wipe old folders, etc.
    >
    > Yours in hope,
    >
    > Mike Kingscott
     
    Raterus, Jun 21, 2004
    #2
    1. Advertising

  3. Mike Kingscott

    Patrice Guest

    They have not necessarily to be on the site. A web page could rread this
    file from another locartion and stream its content to the browser (see the
    Response.WriteFile method).

    Patrice

    --

    "Mike Kingscott" <9.co.uk> a écrit dans le message de
    news:...
    > Hi there,
    >
    > I'm writing an app in which a punter buys some PDFs online. After
    > purchasing said PDFs, they will be given a token (bless them Guids) to
    > go to a download .ASPX page from which they can download the PDFs.
    >
    > I'm planning to use Forms Authentication to protect the .ASPX page
    > which gives them the list of PDFs they can download (driven by the
    > token, which will be their order number or similar). The page will
    > also only allow 10 loads and the list of PDFs will only be available
    > for 24 hours to cut down on other people obtaining the PDFs.
    >
    > And there's the rub: for the PDFs to be downloaded from the site, they
    > have to exist in the site. And if that's the case, what's to prevent
    > people figuring out (right-click, view properties of the hyperlink)
    > the URL of the PDF and going directly to the PDFs? I was hoping that
    > Forms Authentication would protect all files in a folder, but it
    > appears not to do so - I directly download a PDF file in a folder
    > protected by Forms Authentication, guess it only works for .aspx
    > files?
    >
    > So, does anyone have any suggestions? I did think about creating a
    > separate folder for each order (i.e. each Guid), and then copying the
    > PDFs into that, but the files are quite large, and then a job on the
    > server would have to run each day to wipe old folders, etc.
    >
    > Yours in hope,
    >
    > Mike Kingscott
     
    Patrice, Jun 21, 2004
    #3
  4. Guys, thanks very much for the speedy response. At the moment, I've
    gone for protecting the file via the aspnet_isapi.dll method, and it
    works just dandy. As for using the Repsonse.WriteFile method, I may
    have to try that as well, just for extra security, but I'm wondering
    if it would work for a right-click Save As... command? Ah well,
    something to play with when I have time ;-)

    Thanks again,

    Mike Kingscott
     
    Mike Kingscott, Jun 22, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scott McFadden

    problem with pdfs

    Scott McFadden, Jul 16, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    388
    Scott McFadden
    Jul 16, 2003
  2. Eric
    Replies:
    2
    Views:
    1,566
    Tommy
    Feb 13, 2004
  3. Adam
    Replies:
    2
    Views:
    9,876
  4. Eric
    Replies:
    2
    Views:
    647
  5. Replies:
    9
    Views:
    804
    shaval
    May 29, 2012
Loading...

Share This Page