Cristian Boariu
Cristian Boariu

Reputation: 9621

asp.net - prevent downloading a specific file

I have a website where I also have a "UserFiles" directory which is protected to view its content in browser:

This Virtual Directory does not allow contents to be listed.

The problem is that I have some files here which, if you know the name of the file, for instance:

http://example.com/UserFiles/file.ppt

you can download it.

Is there any way to protect this also from web.config? Or, if the user tries to access this, to do a redirect to the login page?

Please note that I do not use Forms authentication but a custom login and Windows authentication is On.

Thanks,

UPDATE: I will try this for the moment: http://www.dotnetcurry.com/ShowArticle.aspx?ID=270

Upvotes: 4

Views: 2942

Answers (2)

serk
serk

Reputation: 4389

If you still want to do this via web.config, your web.config file should have this under the httpHandlers section:

<system.web>
    <httpHandlers>
        <add verb="*" path="*.ppt" type="System.Web.HttpForbiddenHandler" />
    </httpHandlers>
</system.web>

That will block all .ppt files.

Upvotes: 2

Chris Shaffer
Chris Shaffer

Reputation: 32575

When someone needs to download one of those files, do you just redirect them to a URL similar to the one you gave there?

The alternative would be to have a page defined that returns the file, which you can then put whatever permission checks you want in. Using this method also allows you to move that User folder entirely outside of the web folder, so those URLs aren't available at all.

eg:

C:\UserFiles\
C:\inetpub\MyWebFolder\

You just have to make sure that the user account that the web application is running under has appropriate permissions on the C:\UserFiles\ folder.

Upvotes: 0

Related Questions