Secure Downloads in Shared hosting

Discussion in 'ASP .Net Security' started by Dave Lambert, May 26, 2004.

  1. Dave Lambert

    Dave Lambert Guest

    Hi there, I have created a download website for members, all downloads are held in a folder and a user can access a specific download when he has paid for them, i then write a record into the database to say the user is entitled to download this item. I then wish when the user logs on, to display all downloads they have bought in a web page, via say a link to the download, how would I do this and stop people just typing in the name of the file directly into the address bar as they could then download the file for free. The site is on a shared server so I cannot change the IIS settings

    Any help would be much appreciated as I am scratching my head and typing at the same time in puzzlement of how to accomplish this effectively!!

    dave
    Dave Lambert, May 26, 2004
    #1
    1. Advertising

  2. Dave,

    Here's the approach I took to a similar situation:

    - I had the downloads in a folder not accessible to anonymous users (can you
    modify permissions?)
    - I processed the download requests programmatically (the code decided
    whether or not they got the download)

    The name of the file could be sent as part of the GET request (ie.
    Download.aspx?file=filename.aaa), then the code could check the database to
    see if they're clear for access.

    Here are some C# code snippits that might help~

    String filename = Request.Params["file"]; // stores "filename.aaa" in
    filename

    // Add your own code here to approve the file.
    // If it's a public site, you probably want to make sure filename doesn't
    // contain double periods, slashes, and whatnot. In fact, you might want
    // to add an encryption/decryption routine just so people will have a
    // hard time generating their own requests

    // If approved for download then do this code
    Response.AppendHeader("Content-Disposition", "attachment; filename=" +
    filename);
    Response.Flush();
    Response.WriteFile("c:\\somefolder\\" + filename);
    Response.End();


    Hope this helps.

    --
    Regards,
    Wes Henderson

    In order to help everyone, please direct all replies to this newsgroup.
    This posting is my personal effort to provide help and is not on behalf of
    any company.
    Also, this posting is provided "AS IS" with no expressed or implied
    warranties.

    "Dave Lambert" <> wrote in message
    news:...
    > Hi there, I have created a download website for members, all downloads are

    held in a folder and a user can access a specific download when he has paid
    for them, i then write a record into the database to say the user is
    entitled to download this item. I then wish when the user logs on, to
    display all downloads they have bought in a web page, via say a link to the
    download, how would I do this and stop people just typing in the name of the
    file directly into the address bar as they could then download the file for
    free. The site is on a shared server so I cannot change the IIS settings.
    >
    > Any help would be much appreciated as I am scratching my head and typing

    at the same time in puzzlement of how to accomplish this effectively!!!
    >
    > dave
    Wes Henderson, May 27, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. A.M
    Replies:
    5
    Views:
    5,434
    Teemu Keiski
    Jun 8, 2004
  2. Daniel Malcolm
    Replies:
    0
    Views:
    553
    Daniel Malcolm
    Jan 24, 2005
  3. zdrakec
    Replies:
    1
    Views:
    434
    zdrakec
    Jul 25, 2005
  4. Joe
    Replies:
    5
    Views:
    955
    Steven Cheng[MSFT]
    Dec 13, 2005
  5. teo1991
    Replies:
    0
    Views:
    552
    teo1991
    Apr 2, 2009
Loading...

Share This Page