Reputation: 1363
secure and hide url and folder from direct download pdf in mvc5
I am developing application for Online Book Purchases
I am giving download PDF Format book after paid money so i want secure my PDF from direct download.
Question:
1) How could I hide folder URL at the time of download PDF
2) Any security code which not allow user directly access folder or PDF
3) When click on download it will directly download PDF instead of open in browser then download
Upvotes: 1
Views: 1856
Answers (2)
Reputation: 76547
There are a million ways to solve this problem, so I'll just shoot from the hip and throw out a few ideas that might help you.
Recommendation
Firstly, you aren't going to want to explicitly expose any files or folders within your application. Let your application serve them for you, if you even want to serve them at all directly. There are quite a few things that you could consider:
- E-mail - Instead of serving the file directly on the website, e-mail the user a copy of the requested file after they have gone through the payment process.
- Leverage GUIDs - If you do elect to have a link to the file, make it user-specific. Store all of the users that have paid for a given file in a database and assign IDs (using GUIDs) to them, then when the user requests the file, verify that their account has the appropriate ID or check it against the database to ensure they have permission to access it.
A potential workflow might go something like this:
- User selects item to purchase/download.
- User goes through payment processing.
- After payment is verified, store the transaction in a database (e.g. assign a unique identifier indicating that user can access that particular file(s) OR store something on the user's account indicating all of the resources on your site they have access to)
- Alternative: Just e-mail the user a copy of the requested file (or a link to download it on your site using the previous step)
If you do choose to have a link for the user to download the file explicitly, make sure you don't expose the file itself but provide an endpoint that handles determining access and ultimately serving the file like this:
// You could consider writing a custom attribute that would store which files a given
// user had access to (via claims, etc.) but make sure the endpoint requires authentication
[Authorize]
public FileResult DownloadFile(Guid fileId)
{
// Here you could explicitly check in your database to ensure the user had access
// to the requested file, otherwise revoke the request
if (CanAccessFile(context.UserId, fileId))
{
// If they can access the file, then serve it from the appropriate location
return File(...);
}
}
Likewise, you could also support scenarios where simply having access to the link would allow the user to download the file by passing in the file being requested along with a token:
// You wouldn't necessarily need authentication here because the token and
// requested file should be enough
public FileResult DownloadFileWithToken(Guid downloadToken, Guid fileId)
{
// Here you would just check your database to ensure that the token was
// valid for the specific file and if so, allow the user to download it
}
Your Questions
1) How could I hide folder URL at the time of download PDF?
Don't expose the file directly such that a user could access it.
2) Any security code which not allow user directly access folder or PDF?
Again - don't allow direct access to any folders or files. If you are serving these files after a payment is made, then there's no reason for your to explicitly expose them on the site/application.
3) When click on download it will directly download PDF instead of open in browser then download?
You can accomplish this behavior (regardless of how you elect to handle this process) via an HTML download attribute:
<a href="path" download>Download</a>
Upvotes: 3
Reputation: 1
- You can put all of PDF files to a folder, and that folder is placed in the root path.
_ Your project
|_ wwwroot
|_ PDF_folder
|__ file_01.pdf
|__ file_02.pdf
By using this way, user cannot access to the file via URL.
example.com/pdf_folder/file_01.pdf, this path will response 404 status code.
Because there is no directly link that user can access, you don't need any security code in this action.
You can try to return a File when user makes a new request:
public ActionResult Download()
{
// code goes here...
return File(...);
}
Upvotes: 1
Related Questions
- Render PDF Files at client side without exposing original path to prevent download
- Can i prevent client to download pdf file which is visible on browser
- How do I restrict access to pdf files on my server?
- How do I protect a file from direct download?
- pdf download link, but file may be stored in a non-public folder
- How to secure a document/pdf request in MVC?
- Download PDF in ASP MVC
- Protect file for download
- Prevent a file (pdf) from being served in asp.net
- Asp.net - Prevent file (PDF, Word) download from a particular folder