Reputation: 209
How to secure uploaded files in ASP.Net
I am uploading documents such as excel, pdf, word, ppt in asp.net. How can I make it secure.
Suppose I have a website www.example.com and I have uploaded docs in "Files" folder in root directory. the name of a file I have uploaded is 3828392839.pdf and if enter "www.example.com/Files/3828392839.pdf" url in address bar then it allows to open and download docs. I need If there is a valid logged in user then it allows to open or download the files.
Upvotes: 1
Views: 3856
Answers (5)
Reputation: 1417
If your are using IIS 7+ see this question : How do I protect static files with ASP.NET form authentication on IIS 7.5? .
For IIS 6 you can put the files in app_data folder and you need to make a handler to serve the files .
Upvotes: 0
Reputation: 131
You can secure this by creating permissions to documents folder. This means you need permission to upload files and to download as well.
For Simple windows authentication: Create reader and writer roles as local user/group. For Basic Authentication: Best is to use database authentication for roles.
You need to check IIS apppool is configured correctly if you are using IIS7.0
Upvotes: 0
Reputation: 6864
Pretty simple. Create a normal ASP.NET page. Do your authetnication however you want to do that, if they pass authentication, send the file to the response as described here...
How to send file in HttpResponse?
Alternatively if they do not pass authentication, don't send the file instead respond with some html like "Access Denied"
Upvotes: 0
Reputation: 9804
You should implement proper authentication and authorization in asp.net site for your requirement.
To learn more go through this links
Upvotes: 0
Reputation: 8626
You will have to create valid folder structure for this purpose while saving the file.
Eg. If user with userID 20052 logged in and uploads the file. Then file path should be:
Files/20052/3828392839.pdf
Here i have created foldername same as userid to save the uploaded file.
While opening the file you will have to compare the foldername i.e. 20052 and loggedin userid.
If they are same then allow to download the file.
Upvotes: 1
Related Questions
- How to avoid path or directories manipulation in the file upload function?
- how to protect uploaded documents from direct access in web forms
- Image Uploading - security issues
- How to secure user uploaded files
- File upload security Concern
- What is a reasonable way to secure an asp:fileupload
- Secure and "squarified" photo uploading in ASP.NET MVC
- Uploading Images - Security
- How do you lock down & secure files stored on server in ASP.NET?
- File security submission