How to secure docs other than .aspx files.

[Guest]

I have a folder within my web application that holds a bunch of word
documents. I have security setup to use forms authentication. If I try and
access a .aspx page that is not listed in my web.config file to allow
anonymous users, it will redirect appropriately. However, if I try and
access one of the word documents, it can be accessed through a web browser
even if the user is not logged in. Is this intended to be this way? Why are
these documents able to be accessed within the web application, even if a
user is not logged in?

Here's how I setup the security:
<authentication mode="Forms">
<forms loginUrl="DefaultLogin.aspx" />
</authentication>

<authorization>
<deny users="?" />
</authorization>

<location path="DefaultLogin.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>

 

[darrel]

Is this intended to be this way?

For the most part, yea.

Why are
these documents able to be accessed within the web application, even if a
user is not logged in?

They're not really part of the application. They just happen to be in the
same directory as your application.

One solution is to move the files outside of your root web folder and then
stream the files to the browser via a page inside your application.

-Darrel

 

[Steve C. Orr [MVP, MCSD]]

I'd suggest you move these files into a private folder (or database) with
security set appropriately.
Then you can retrieve the files for them once you've authenticated them.

Here's more info:
http://SteveOrr.net/articles/EasyUploads.aspx
http://msdn.microsoft.com/library/d...SystemWebHttpResponseClassWriteFileTopic3.asp