Reputation: 328
stop unauthorized file download in asp.net
I have a login.aspx page with custom textbox for username and password i.e. no loginview
after supplying correct username and pwd i assign a sessionid which is used to visit other pages on website.
Now to download a file (1234) i redierct the user to ~/download.aspx?fileid=1234, on this page i check the session id and send the user to file url i.e. ~/file/1234.pdf.
if some one dirctly enters file url, then i am unable to stop him.
plase guide me on how to do this...
P.S. : i have read about authentication rule in web.config file but dont know how to mark user as authenticated ones he supplies correct username and password at login. (i am only checking username and pwd from database and redirecting to home page)
Upvotes: 0
Views: 3628
Answers (3)
Reputation: 8337
Below is the code I use in my projects
void ServeFile(string fname, bool forceDownload)
{
if(UserHasPermission(fname))
{
DownloadFile(fname,forceDownload);
}
else
{
ShowMessage("You have no permission");
}
}
private void DownloadFile( string fname, bool forceDownload )
{
string path = MapPath( fname );
string name = Path.GetFileName( path );
string ext = Path.GetExtension( path );
string type = "";
// set known types based on file extension
if ( ext != null )
{
switch( ext.ToLower() )
{
case ".htm":
case ".html":
type = "text/HTML";
break;
case ".txt":
type = "text/plain";
break;
case ".doc":
case ".rtf":
type = "Application/msword";
break;
case ".pdf":
type = "Application/pdf";
break;
}
}
if ( forceDownload )
{
Response.AppendHeader( "content-disposition",
"attachment; filename=" + name );
}
if ( type != "" )
Response.ContentType = type;
Response.WriteFile( path );
Response.End();
}
Upvotes: 1
Reputation: 27467
Take a look at this - http://support.microsoft.com/kb/301240
Look for point 4 in that article under - "Code the Event Handler So That It Validates the User Credentials", it explains you how to set authentication cookie after validating user
Code to look at:
FormsAuthenticationTicket tkt;
string cookiestr;
HttpCookie ck;
tkt = new FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now,
DateTime.Now.AddMinutes(30), chkPersistCookie.Checked, "your custom data");
cookiestr = FormsAuthentication.Encrypt(tkt);
ck = new HttpCookie(FormsAuthentication.FormsCookieName, cookiestr);
if (chkPersistCookie.Checked)
ck.Expires=tkt.Expiration;
ck.Path = FormsAuthentication.FormsCookiePath;
Response.Cookies.Add(ck);
What you can do is:
1. Enable form authentication in web.config
2. deny anonymous access to downloads folder
3. When user authenticates, set authentication cookie and redirect user to download folder
4. download folder now can only be accessed by logged in user and id
Upvotes: 1
Reputation: 9351
Your authentication strategy is fairly weak. You should be bounding areas of your site (namely the files directory in this instance) with roles and assigning users to them.
However, to get around the more immediate problem, simply disable the outside world from getting to the files directory and when they hit ~/download.aspx?fileid=1234 just serve them the file. You can find instructions for this here: How to properly serve a PDF file
Upvotes: 4
Related Questions
- How to prevent download of files to unauthenticated users
- How to allow any file download in IIS 7.5
- MVC Authentication on file download
- Trying to block access to file
- Denying download of specific files in ASP.NET MVC
- Asp.net - Prevent file (PDF, Word) download from a particular folder
- how prevent direct file download from browser when permission has been set [read = allow]
- asp.net - prevent downloading a specific file
- Stop document downloads from unauthorised users
- file download with authentication in asp.net