To make it easier on you and to make the file more secure I'd suggest using a FileStream for the actual file but still authorizing the user, then once the user has been granted access to the file the stream can be granted to them. Here's a pretty straight forward example: http://www.codeproject.com/aspnet/SecureFileDownload.asp note: This can also be done to allow anonymous downloads but prevent hot-linking.
I am having problems trying to secure a file against download. Ive written a web application in .NET 2.0 and have written my own membershipprovider for an access database using forms authentication(database is in the _database directory). I have a file (down.zip) in a subdirectory (down). This file should only be available to authenticated users. ive entered the following in my web.config (in application root directory) file <location path="down/down.zip"> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location> <system.web> <authorization> <deny users="?"/> </authorization> <authentication mode="Forms"> <forms name=".ASPXFORMSAUTH" loginUrl="Default.aspx"/> </authentication> <membership defaultProvider="OleDbProviderTest" userIsOnlineTimeWindow="15"> <providers> <add name="OleDbProviderTest" .../> </providers> </membership> </system.web> </configuration> When running the application on my local machine, everything works fine. I can create a user and only after logging in is the file available for download. However, when running the application on the discountasp server, the file is available for download even without logging in!!! How can i secure my files against unauthorized access? I dont want to use the "Permissions Manager" cause i dont want to have to create a new user account for each user... i am saving the userlogins in an access db. thanks nader
Here's a little more info on why your method isn't working: When IIS goes to serve up a .ZIP file, by default it isn't going to go through the ASP.NET engine, so the security settings you set up won't even be checked. They're only checked for ASP.NET types like .ASPX, .ASMX, etc. On your local machine you probably have all extensions mapped to the ASP.NET engine, or you're using the build in development web server which maps everything to ASP.NET, so it works. You can do the same thing here by entering a trouble ticket asking them the set up "wildcard mapping". However, there are performance implications to that if you don't know what you're doing since now ALL requests will go through the ASP.NET engine. This means anything you have in global.asax, and any HTTPmodulesget run for ALL file requests whether they're ASP.NET or just plain old HTML or images or whatever. The previous suggestion to use streaming to send the file from an ASP.NET page or service is probably the best way to go about it - that way you don't need to mess with the wildcard mapping.
