Secure files from being downloaded by using the absolute path in the URL

Question

in my MVC 3 project I have a folder in the project's root where I store some SWF files. The problem is, when I hit the url in the browser's address bar, e.g

localhost:39217/Files/fg/f_l1.swf

obviously I see the download dialog. Is there any way to prevent it ? In the other words, that file would be visible in my page after the DOM is loaded, but if I just type its URL I don't want it to be downloaded. I'm afraid that both scenarios are threated the same in the IIS. Any ideas ?

Answer 1

One way I can see to solve this issue is don't reveal the real physical path to the user. Basically you should deliver the SWF files from a controller action.

If you are embedding the SWF file through object tag then the object tag will refer to this action passing the filename. You can control the action by Authorize attribute or some other ways and once you see the request is properly authorized then you write the flash file into the response.

The idea is clearly explained here though the code is in PHP you can migrate that to MVC.

UPDATE:

If you don't want to change the SWF file path then you have to do little more work in Global.asax.cs.

routes.IgnoreRoute("Javascript/{*catchall}");
routes.IgnoreRoute("Content/{*catchall}");
routes.IgnoreRoute("Scripts/{*catchall}");

routes.RouteExistingFiles = true;

routes.MapRoute("", "Files/Flash/{file}", new { controller = "File", action = "Flash" });

Now eventhough some one tries to access the SWF file directly knowing the path, the requests are handled by the Flash action of File controller and there you can do the necessary auth. check before sending back the SWF.