Securing a directory

Discussion in 'ASP .Net' started by Simon Harvey, Feb 15, 2004.

  1. Simon Harvey

    Simon Harvey Guest

    Hi everyone,

    I just read an article that said that when you use a web.config file to
    secure a directory, all it can do is secure the asp.net resources in that
    directory - not any non .net resources.
    For ecample, image files, html and asp files would not be secured.

    I didnt actually realise this and it gave me a bit of a fright! Can anyone
    suggest the best way to keep a directory secured in an application using
    Forms Authentication.

    It's not a problem for me at the moment because I havent made a site that
    would be affected, but I'm not really sure how I would ensure a directory
    was totally locked down should the need arise.

    Thanks to anyone who can help

    Kindest Regards

    Simon
     
    Simon Harvey, Feb 15, 2004
    #1
    1. Advertising

  2. Hi Simon,


    You can secure a directory via web.config by using the <location> element.
    As to non-ASP.NET resources---your source was correct. Your IIS maps a
    number of extensions to the ASP.NET ISAPI. Each request for .aspx, .ashx,
    ..asmx and a number of other extensions is routed through the ASP.NET HTTP
    Pipeline. The pipeline provides authentication, authorization, caching and
    everything else. On the other hand, .htm, .html, .gif, .jpg, etc extensions
    are not serviced by ASP.NET by default to avoid unnecessary overhead. You
    *can* reassign them to the ASP.NET ISAPI. I briefly touched on this subject
    in my article on custom error pages at
    http://www.aspnetresources.com/articles/CustomErrorPages.aspx (scroll down
    to "What about HTML pages?").

    The bottom line is you can have everything go through the ASP.NET pipeline
    but this will incur is certain overhead. If you need code samples of how to
    secure downloads of images, pdf's, etc let me know. I'll look up a couple.

    --
    Milan Negovan
    www.AspNetResources.com
    Essential recources for ASP.NET developers
     
    Milan Negovan, Feb 16, 2004
    #2
    1. Advertising

  3. Simon Harvey

    Paul Guest

    In article <6LTXb.11027$>, Milan
    Negovan <> writes
    >If you need code samples of how to secure downloads of images, pdf's,
    >etc let me know. I'll look up a couple.


    I'd be interested in that as well (esp the pdfs)

    Ta.
    --
    Paul
     
    Paul, Feb 16, 2004
    #3
  4. Milan Negovan, Feb 16, 2004
    #4
  5. Simon Harvey

    Paul Guest

    Paul, Feb 16, 2004
    #5
  6. Milan Negovan, Feb 16, 2004
    #6
  7. Simon Harvey

    Simon Harvey Guest

    "Simon Harvey" <> wrote in message
    news:eRCVTm$...
    > Hi everyone,
    >
    > I just read an article that said that when you use a web.config file to
    > secure a directory, all it can do is secure the asp.net resources in that
    > directory - not any non .net resources.
    > For ecample, image files, html and asp files would not be secured.
    >
    > I didnt actually realise this and it gave me a bit of a fright! Can anyone
    > suggest the best way to keep a directory secured in an application using
    > Forms Authentication.
    >
    > It's not a problem for me at the moment because I havent made a site that
    > would be affected, but I'm not really sure how I would ensure a directory
    > was totally locked down should the need arise.
    >
    > Thanks to anyone who can help
    >
    > Kindest Regards
    >
    > Simon



    Hi there,

    Thanks for your reply!

    Those solutions seem a bit convoluted just to keep a directory secure. Do
    you know of any simpler way, such as putting the sensitive information
    someplace that its directly accessible via the web, and then providing
    asp.net code to get the files should a user be authenticated correctly.

    Is that possible or am I just being silly!

    :)

    Simon
     
    Simon Harvey, Feb 16, 2004
    #7
  8. > Hi there,
    >
    > Thanks for your reply!
    >
    > Those solutions seem a bit convoluted just to keep a directory secure. Do
    > you know of any simpler way, such as putting the sensitive information
    > someplace that its directly accessible via the web, and then providing
    > asp.net code to get the files should a user be authenticated correctly.
    >
    > Is that possible or am I just being silly!
    >
    > :)
    >
    > Simon


    Hi Simon,

    You can have one page to control downloads. For example, some kind of a
    download.aspx page protected with Forms Authentication. Say you collect user
    info and have this page redirect to a PDF/DOC/XLS/etc. If anyone can figure
    out your file naming convention (if there's one) they'll know how to bypass
    the download page, so it really depends on hw far you want to go with this.
    On our company web site we have a few PDFs that we "protect" this way
    (http://www.custfeedback.com/resources/default.aspx). Once you click a link
    to a PDF, download.aspx collects info and redirects you to the file which
    triggers a "save as" dialog.

    Does it make sense?

    --
    Milan Negovan
    www.AspNetResources.com
    Essential recources for ASP.NET developers
     
    Milan Negovan, Feb 16, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. abdulrauf

    securing pages and forms from users

    abdulrauf, Jul 31, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    330
    Eric Wise
    Jul 31, 2003
  2. Ian B
    Replies:
    2
    Views:
    2,237
    Ian B
    Jan 23, 2004
  3. Dave Kelly

    Securing a server side directory

    Dave Kelly, Apr 18, 2009, in forum: HTML
    Replies:
    2
    Views:
    397
    Beauregard T. Shagnasty
    Apr 19, 2009
  4. Simon Harvey

    Securing a directory

    Simon Harvey, Feb 15, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    106
    richlm
    Feb 18, 2004
  5. Frank
    Replies:
    1
    Views:
    137
    Dominick Baier
    Apr 17, 2008
Loading...

Share This Page