Hi,

first post here. I'm just trying to install my MVC app under the root. My problem is that I have to protect some files in a folder. The MVC app will ensure that a user has the right to download a file. This is done through a route (..../download/{fileid}). The action method checks in a database that the user has the rights and returns the file, if not it redirects. This behavior is working well, but I also need to ensure that the file is not accessible through another URL.

At my previous linux host, I had the possibility to put files outside the web root folder. Here I can't. So I'm obliged to create a folder under the web root. Protecting it just against anonymous users, while feasible, is not enough since a logged in user could still access all the files although his rights should give him access to only a set of files.

The only thing I have found right now is to name the folder like the url segment of my route (here "download"). This obliges routing to take precedence and so a visitor can't type ..../download/a.zip.
But is it secure enough?

What alternatives?

Thank you

put it in the app_data folder.

This is a special folder to store files that you do not want use to access directly.

See http://msdn.microsoft.com/en-us/library/ex526337.aspx