Uploaded document security in ASP.net

[Guest]

Hi all,

my asp.net page lets the users uploads documents up to a folder on the
webserver and then shows hyperlinks on a page pointing to these documents so
that the user can click them open and all this is only for users logged in
only. But the problem is that ones the user sees the name and part of the
document they are able to browse to the document using this url without even
logging in to the website,question is how can i restrict the user so that the
only way he can access documents form this folder is if they log into the
website.

Please suggest.!!
Sameer

 

[Teemu Keiski]

Hi,

you need to map file extension in IIS for ASP.NET to handle (map extension
to aspnet_isapi.dll). After that, forms authentication can take place with
these files. For example with PDFs see this good post by Richard Dudley

http://aspadvice.com/blogs/rjdudley/archive/2005/05/21/2595.aspx

 

[Guest]

Teemu, thanks for your reply but what if the user is uploading files with
different extensions that are not registered with IIS, they woudl be able to
be viewed by the users unless i regsiter their extension with IIS. Other then
this, isnt there any other way that i can restrict access to these file for
users not logged in the application?

thanks

 

[Teemu Keiski]

Hi,

I'd say you'd probably want to restrict the types of files to be uploaded,
when you can do this. Basically, you could map all extensions to ASP.NET
(just use wildcard *) but it has performance penalty also, since mapping
means that files are served through ASP.NET pipeline.

 

[Guest]

if you would like to restrict users to certain parts of the website, I would
suggest enable membership and roles, this way a user will be forced to logon,
see this video tutorial for help on membership and roles:

http://download.microsoft.com/downl...-b3b8f93a86e4/hilo_membership-roles_final.wmv