ansaurus

Question

Securing Large Downloads Using C# and IIS 7

Answer 1

+6 A:

You know what? The KB article is poo. Here is my official recommendation:

public void StreamFile(string filePath)
{
    string fileName = Path.GetFileName(filePath);

    using (var fStream = new FileStream(filePath, FileMode.Open, FileAccess.Read, FileShare.Read))
    {
        var contentLength = fStream.Length;

        if (Request.UserAgent.Contains("MSIE"))
        {
            Response.AddHeader("Content-Transfer-Encoding", "binary");
        }

        Response.ContentType = "application/octet-stream";
        Response.AddHeader("Content-Length", contentLength.ToString());

        // Even though "Content-Disposition" should have an upper-case "d", as per http://www.ietf.org/rfc/rfc2183.txt
        // IE fails to recognize this if the "d" is upper-cased.
        Response.AddHeader("Content-disposition", "attachment; filename=" + fileName);

        var buffer = new byte[8192];

        while (Response.IsClientConnected)
        {
            var count = fStream.Read(buffer, 0, buffer.Length);
            if (count == 0)
            {
                break;
            }

            Response.OutputStream.Write(buffer, 0, count);
            Response.Flush();
        }
    }

    Response.Close();
}

John Gietzen 2010-02-01 18:22:16

After giving that an attempt, it looks to me like that still loads the file into memory. At least, I was getting out of memory exceptions when I tried it on a 1.5GB file, and got tired of waiting for the download on a 450MB one. I'm doing this on a test machine, not the file server, so the amount of memory I have to work with is lower.My file servers have a ton of ram (24GB I think) but I'd like a solution that doesn't require a lot of strain on the processor or memory. Lighttpd does this using mod_secdownload and URL rewrite rules, which is fast and cheap on cycles/memory.

Sheep Slapper 2010-02-01 18:51:16

@john - the way I read the code in Reflector, none of the MS methods for writing files actually use small buffers. They all seem to allocate a single buffer for the entire file. Some of this is pretty hard to trace, so maybe I am missing something.

Ray 2010-02-01 18:54:48

@Sheep Slapper: http://support.microsoft.com/kb/812406

sixlettervariables 2010-02-01 18:54:49

@Ray, crap. Well, I'll update with the KB Article Info

John Gietzen 2010-02-01 19:21:52

@John: You beat me to it. I just tested that, and it worked. If there is a solution that doesn't require me to create HTTP streams by hand, and take up memory, that would be preferred. Lighttpd does it, and does it well, but I'm trying to keep the number of technologies involved to a minimum.For now, I guess this works. If anyone comes across a way to do this without the ugly FileStream code, that would rock. But for now, John's is the accepted answer.

Sheep Slapper 2010-02-01 19:36:17

@Sheep: Please don't use the code directly from the KB article of from Ray's link. Both of those are very messy versions of the code I have above. Also, I have a bug fix for one of IE's quirks.

John Gietzen 2010-02-01 19:45:06

@Sheep Slapper: keep in mind the way ASP.Net works you can't make it as nice as lighttpd. The worker process sends data to ISAPI that sends it to the user. Two places with buffering is what you'll have to live with.

sixlettervariables 2010-02-01 21:21:09

Also may I suggest a buffer larger than 1024? Maybe 4k or 64k?

sixlettervariables 2010-02-01 21:22:29

@sixletter: Yeah, but he was trying to stay low on the memory usage. I'm pretty sure that 1024 bytes would be sufficient to peg the bandwidth.

John Gietzen 2010-02-01 21:27:57

1k in a loop with a flush is pretty inefficient.

sixlettervariables 2010-02-01 22:08:27

@six: Good point. Changed to 8k.

John Gietzen 2010-02-05 14:41:29

Answer 2

A:

You may be interested in Microsoft's Background Intelligent Transfer Service (BITS).

http://msdn.microsoft.com/en-us/library/bb968799%28VS.85%29.aspx

Version 2.5 introduced HTTP authentication via certificates.

gooch 2010-02-01 18:33:28

Answer 3

+1 A:

This thread has my solution to keep memory usage down while users are downloading files. You probably want a bigger buffer than my sample uses, though.

Ray 2010-02-01 18:43:31

After reading that thread and the Microsoft Support article in the answer above, I'm headed in that direction for a temporary solution. It's better in that there are less applications involved in the process, but it's not as transparent in what's going on. Now I just have to develop a tiny app to implement it and build my own version of mod_secdownload since the app that validates my users isn't on the file servers! Thanks for the info!

Sheep Slapper 2010-02-01 19:39:22

Answer 4

A:

While this isn't directly applicable since you're using MySql but it's something to consider (might even be available for free by using sql server 2008 express). Sql Server 2008 offers Filestream support which lets you access files as if they are directly stored in the database but actually reside on a fileserver. Then information on the other posts can help you with getting it to the user.

FILESTREAM Storage in SQL Server 2008

Chris Marisic 2010-02-01 18:47:43

ansaurus

tags:

views:

answers:

Securing Large Downloads Using C# and IIS 7

related questions