Shield file from download?

[q]

Hi, all -

Sort of a noob question, I suppose...

I have a file I want to make available for download from my site. I want to
make sure people check a checkbox first, though, saying they agree to
license terms. At the moment, I'm using an asp:HyperLink and
enabling/disabling it in response to the checkbox change. Works fine, except
there's really nothing to prevent someone from posting the url from the
hyperlink elsewhere and allowing people to download my file, bypassing the
license terms.

Ideally, I'd like to have the same UI as I do now - a checkbox and an
asp:HyperLink - but have the download implemented in such a way that the
file can ONLY be accessed by clicking the link, as opposed to, say, typing
the link url directly into the address bar of IE.

Can anyone out there suggest a good solution?


TIA.

 

[Gregory A. Beamer]

Hve the file delivered through a web page and protect that web page by
login. Then "log" the user in only when they agree. Then if someone hits the
link directly, you can redirect them to the log in.

Another option is an HTTP filter for download that requires credentials.

 

[q]

Gregory -

Thanks for the response. Let me see if I understand correctly. I could make
two pages with an identical UI, one protected and the other not. The public
one wouldn't ever activate the hyperlink - it would stay disabled, and when
the user checked the 'I agree' checkbox, he'd be redirected to the protected
version of the page, where the link would be enabled. The download itself
would also be protected under the same credentials.

Is this what you're describing with the first option?

re the second option: How would I implement this? Need more hints on this
one, I'm afraid.

 

[Peter Bromberg [C# MVP]]

If you insist on having a hyperlink in the page, you may always run the risk
of somebody doing "View Source" and grabbing the link. What you can do is
when the checkbox is checked (Autopostback =true) then on the postback, you
can use Response.ContentType = "whatever", combined with Response.WriteFile
to send the file without the user having any idea of what the "link" is.
There are other similar methods as well.
Peter

 

[q]

Hi, Peter -

This sounds like exactly what I'm looking for.

I'll look at the docs this evening and see if I can get something up and
running. I may be back.

Thanks for the help!

 

[Gregory A. Beamer]

To an extent, you are correct. I am sugesting a bit of an "outside the box"
solution that is quick and easy to implement.

What you do is make sure the download "page" can only be hit by an
authenticated user. You then "authenticate" them with the button click. You
can then set up this folder with a web.config that redirects the person to
the page with the accept if they try to hit it directly. The page sees them
unauthenticated and boom.

Now, if you already have a secured section, you will have to get into roles,
as any authenticated user can bypass. This might not be good and is
something I did not think through initially.

But, you can alter this pattern to look for something on the user's
"profile". Borrowing from an old ASP methodology, you can do something like
this for the "download" page:

Page_Load

if(Session["AcceptedDownload"])
{
//Set mime type
Response.ContentType = "{your type}";

//Get file here
//Stream file
}
else
{
//redirect to accept "page"
}

now, the accept page could actually be the same page, if you want to custom
build the page with code.

The benefit here is you can use a login section and still have the download
protected. It will require a bit more code and you will be storing the
information somewhere for acceptance (cookie, session, etc.).

Another option is to use something like Silverlight as your "download
manager". You then have full control over whether the user sees the download
link. The same can be done with ActiveX (although the install is a pain),
Flash, Java applets, etc.

These are just some ideas that can work for you.