Preventing File Downloads

Hi everyone:

So besides my post about redirecting, I have an issue with securing files.

Building a sub site, I currently have all traffic routing to a login page if the user is not authenticated. It currently denies all anonymous access through the web.config file. Unfortunately, the site is setup to be a resource library, so if you have the exact URL of the *.XLS, *.DOC, or any othernon *.ASPXdocument resource, you bypass any authentication and have the ability to download the file. Is there a way to prevent this from occurring?

Doing some research, there seems to be something with file mapping,IIS, and ASPNET_ISAPI.DLL handling the files to prevent this, but I was unable to find out an exact method to accomplis this task. Is this something that I need to contact DiscountASP for? I'm currently at a loss.

Any help would be appreciated, I'm writing code in C#, and I eventually need to wrap the whole usage in SSL.

Thanks in advance, and happy holidays.

 

ASP.NET 2.0 has this feature where you can protect non-ASP.NET files. More details on how it works can be found here http://www.asp.net/QuickStart/aspnet/doc/tipstricks/default.aspx#securingnonaspnetcontent. Send a ticket to support if you want to setup the wildcard mapping as indicated in the article.

DiscountASP.NET
www.DiscountASP.NET

 

Is there a way to take care of this with ASP.NET 1.1?

We do not plan on using ASP.NET 2.0 for quite some time and we need this feature in our current application. Is there any way to achieve this?

Thanks again for the help.

 

Just wondering...


Are all directories that start with "_" protected, ie ASPNET user can access but not IUSR??


I have very little IIS experience, any docs that explain this kind of stuff you know about, I would certainly appreciate a link )

 

the _database directory is a directory that we create for all our customers with anonymous browsing disabled. This directory is not accessible via the web, so you can stuff sensitive data inside.

If you are talking about the _vti files, those are generated by frontpage.


Joel Thoms

DiscountASP.NET
http://www.DiscountASP.NET

 

A common way of protecting these, is to stuff them into your _database directory (which is protected)

and create a file like Download.aspx that accepts an argument like ?file=stuff.xls

Then you can determin in the aspx page which files are or aren't allowed to be downloaded based upon their authorization.


Joel Thoms

DiscountASP.NET
http://www.DiscountASP.NET