Using forms authentication, but you can get at a file if you know the name of it.

M

Mufasa

I have a website where there is a login screen on it. All works fine. As
part of the website I have links to some pdfs, htmls, jpgs, and assorted
other stuff. I have found if you know the name of the file (or login, and
copy the link) you can get at the file without logging in.

I verified this by pulling up one of my pfds copying the url, closing down
all of IE and then starting IE and putting in the url.

Lo and hehold - the file is there.

Is there anyway to stop this behavior? What I really want is a way to limit
the people who get to my web site by using a userid/password stored in a
database and then and only then can they get at my documents. Currently we
use NT security with one userid/password which isn't a good solution. We
have people coming and going quickly so we need a better way to do this. And
putting the users in NT just seems a pain.

Thanks for you help.

J.
 
P

Peter Bradley

Have you annotated your classes and/or methods with attributes that issue
security challenges, ensuring that users are logged in, and members of the
correct role before accessing the class/method? Something like (from msdn):

[PrincipalPermissionAttribute(SecurityAction.Demand, Name="Bob",
Role="Supervisor")]
or (from one of our applications (slightly altered to protect the
innocent)[PrincipalPermissionAttribute(SecurityAction.Demand,
Authenticated=True, Role="Supervisor")]Or you can do the same thing
programmatically using things like IsInRole().You catch any security
exceptions that get thrown as a result of these in a convenient place, like
Global.asax

HTH


Peter
 
P

Page Brooks

Mufasa,
Also, in ASP.NET 2.0, you have the option of adding the following to your
httpHandlers:

<add path="*" verb="GET,HEAD,POST" type="System.Web.DefaultHttpHandler"
validate="True" />

This will cause ASP.NET to process all unknown extensions through the
Authenticate and AuthorizeRequest events in the execution pipeline.
Again, I will refer you to the same URL which has more information on this:

http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNET20.aspx
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to go about building a crud app when you are a noob 1
Hello I have question for a programmer it`s regarding REDDIT but this forum is the best where to put it? 0
People are needed for a mental model study of concurrent programming. (>19 years old, English Speaking, Programmers who know concurrency) 1
How can I view / open / render / display a pdf file with c code? 0
CS0246: The type or namespace name 'sconnection' could not be found(are you missing a using directiv 1
Problem with a login script, SESSION user rights and put this together so it works with the other pages and MySQL. Code examples. 2
**NEED HELP** How to refresh animation so the rest of page can load 0
Can arbitrary code run in a server if someone's know just the MySQLpassword? 17

Members online

Total: 26 (members: 1, guests: 25)
Robots: 403

Forum statistics

Threads
473,755
Messages
2,569,537
Members
45,020
Latest member
GenesisGai

Latest Threads

Top