Securing a directory

Simon Harvey · Feb 15, 2004

Hi everyone,

I just read an article that said that when you use a web.config file to
secure a directory, all it can do is secure the asp.net resources in that
directory - not any non .net resources.
For ecample, image files, html and asp files would not be secured.

I didnt actually realise this and it gave me a bit of a fright! Can anyone
suggest the best way to keep a directory secured in an application using
Forms Authentication.

It's not a problem for me at the moment because I havent made a site that
would be affected, but I'm not really sure how I would ensure a directory
was totally locked down should the need arise.

Thanks to anyone who can help

Kindest Regards

Simon

Milan Negovan · Feb 16, 2004

Hi Simon,

You can secure a directory via web.config by using the <location> element.
As to non-ASP.NET resources---your source was correct. Your IIS maps a
number of extensions to the ASP.NET ISAPI. Each request for .aspx, .ashx,
..asmx and a number of other extensions is routed through the ASP.NET HTTP
Pipeline. The pipeline provides authentication, authorization, caching and
everything else. On the other hand, .htm, .html, .gif, .jpg, etc extensions
are not serviced by ASP.NET by default to avoid unnecessary overhead. You
*can* reassign them to the ASP.NET ISAPI. I briefly touched on this subject
in my article on custom error pages at
http://www.aspnetresources.com/articles/CustomErrorPages.aspx (scroll down
to "What about HTML pages?").

The bottom line is you can have everything go through the ASP.NET pipeline
but this will incur is certain overhead. If you need code samples of how to
secure downloads of images, pdf's, etc let me know. I'll look up a couple.

Paul · Feb 16, 2004

Milan said:
If you need code samples of how to secure downloads of images, pdf's,
etc let me know. I'll look up a couple.

I'd be interested in that as well (esp the pdfs)

Ta.

Milan Negovan · Feb 16, 2004

Hi Paul,

There's one I know off the top of my head:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndotnet/html/servingimages.asp.
This one serves images. The idea with PDFs is similar.

Paul · Feb 16, 2004

Milan said:
There's one I know off the top of my head:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndotne
t/html/servingimages.asp.
This one serves images. The idea with PDFs is similar.

Thanks, I'll have a look in the morning.

Milan Negovan · Feb 16, 2004

Hi again,

Here's one for Word files but you can tailor it to stream PDFs:
http://www.devcity.net/net/article.aspx?alias=contentthieves

Simon Harvey · Feb 16, 2004

Simon Harvey said:
Hi everyone,

I just read an article that said that when you use a web.config file to
secure a directory, all it can do is secure the asp.net resources in that
directory - not any non .net resources.
For ecample, image files, html and asp files would not be secured.

I didnt actually realise this and it gave me a bit of a fright! Can anyone
suggest the best way to keep a directory secured in an application using
Forms Authentication.

It's not a problem for me at the moment because I havent made a site that
would be affected, but I'm not really sure how I would ensure a directory
was totally locked down should the need arise.

Thanks to anyone who can help

Kindest Regards

Simon

Hi there,

Thanks for your reply!

Those solutions seem a bit convoluted just to keep a directory secure. Do
you know of any simpler way, such as putting the sensitive information
someplace that its directly accessible via the web, and then providing
asp.net code to get the files should a user be authenticated correctly.

Is that possible or am I just being silly!

Simon

Milan Negovan · Feb 16, 2004

Hi there,

Thanks for your reply!

Those solutions seem a bit convoluted just to keep a directory secure. Do
you know of any simpler way, such as putting the sensitive information
someplace that its directly accessible via the web, and then providing
asp.net code to get the files should a user be authenticated correctly.

Is that possible or am I just being silly!

Simon

Hi Simon,

You can have one page to control downloads. For example, some kind of a
download.aspx page protected with Forms Authentication. Say you collect user
info and have this page redirect to a PDF/DOC/XLS/etc. If anyone can figure
out your file naming convention (if there's one) they'll know how to bypass
the download page, so it really depends on hw far you want to go with this.
On our company web site we have a few PDFs that we "protect" this way
(http://www.custfeedback.com/resources/default.aspx). Once you click a link
to a PDF, download.aspx collects info and redirects you to the file which
triggers a "save as" dialog.

Does it make sense?

Securing a directory and its files with forms authentication	1	Apr 15, 2008
Securing a server side directory	2	Apr 18, 2009
Securing a C++ class	17	Jul 23, 2009
Securing a web service	1	Jan 11, 2005
Securing files for download.	4	Dec 9, 2003
securing an intranet site	2	May 31, 2006
Securing attachments,e.g., .pdf, .doc, .xls through web.config	1	May 25, 2005
Securing non aspx pages with forms authentication??	2	Oct 6, 2005

Securing a directory

Simon Harvey

Milan Negovan

Paul

Milan Negovan

Paul

Milan Negovan

Simon Harvey

Milan Negovan

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads