Restricting public access to a file on an ASP.NET site

Question

Hi,

Trying to prevent access to a specific file, not any files with a certain extention, just one specific file. The issue is that the end user can just type: /filename.xml into their browser and can see the contents of this file, i'd rather they not be able to see this.

---

Things I have tried:

1) Putting the file elsewhere

I have a "secure" folder as part of my hosting account. So I figured i'd just change the path to: "..\..\..\SSL\FileName.xml" and move the file there. ASP.NET crashes on this one with the error:

• Cannot use a leading .. to exit above the top directory

So I presume that's in place for security purposes.

2) Location in web.config

So next I tried to use this in the web.config:

  <location path="FileName.xml">
    <system.web>
      <authorization>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

This doesn't seem to do anything.... anyone know why? I'm not specifically using ASP.NET authentication in this app, is that why this doesn't work?

3) Using IIS to prevent access

Alas, I do not have access to IIS as I have a terrifically lame hosting account.

---

So does anyone know what i'm doing wrong with the above attempts or have any alternative solutions I can try?

kthxbye!

Answer 1

IIS Doesn't handle xml files (just post them to requester) and thus security does not work. Surprisingly on Mono platform in would work... anyway, You can make this workarounds:

1. Store file in really secure folder and access it using aspx page (file name as parameter)
2. Store file in db and rest like in 1
3. Store file whatever in Your hosting account folders and give it GUID name, then store GUID and real file name connection in DB and handle file download thru aspx page.