views:

164

answers:

2

We have a library of ZIP files that we would like to make available for download at an ASP.NET site.

The files are sitting on a NAS device that is accessible from out web farm.

Here is our initial strategy:

  1. Map an IIS virtual directory to the shared drive at path /zipfiles
  2. Users can download the zip files when given the URL

However, if users share links to the files, anyone can download them. We would instead like to make use of the ASP.NET forms authentication in our site to validate users' requests before initiating the file transfer.

A few problems: A request for a zip file is handled by IIS, not ASP.NET. So it is not subject to forms authentication. In addition, we don't want ASP.NET to handle the request, because it uses up an ASP.NET thread and is not scalable for download of large files. So, configuring the asp.net dll to handle *.zip requests is not an option.

Any ideas on this?

One idea we've tossed around is this: Initial request for download will be for an ashx handler. This handler will, after authentication, generate a download token which is saved to a database. Then, the user is redirected to the file with token appended in QueryString (e.g. /files/xyz.zip?token=123456789). An ISAPI plugin will be used to check the token. Also, the token will expire after x amount of time. Any thoughts on this? I have not implemented an ISAPI plugin so I'm not sure if this will even work.

I would like to avoid custom coding since security is an issue and I'd prefer to use a time-tested solution.

A: 

Forms authentication can't go without ASP.NET.

If you don't want to use ASP.NET at all, you can define an NTFS permission on file and to create domain accounts to your users. That will become a nightmare really fast.

To deal with large downloads into ASP.NET, you can take a look into Comet. That's basically a IHttpHandler but you'll need to use another ThreadPool (not ASP.NET). I suggest take a look into Smart Thread Pool.

I combined both a few months ago to create an application for download speed throttling and now runs very smoothly.

Rubens Farias
Yeah, NTFS permissions is not a possibility for me. Did your solution provide authenticated access?
frankadelic
yes; when I get a `?FileId=` I go to database, check if user can download it and start that download
Rubens Farias
Rubens, I am totally new to COMET and Smart Thread Pool - do you have an example online of your specific use case?
frankadelic
Take this approach http://www.codeproject.com/KB/aspnet/CometAsync.aspx, replacing its ThreadPool implentation by that SmartThreadPool
Rubens Farias
A: 

I read and understand your concern with using a handler to manage your static files, but if you use an async handler then you wont be blocking.

I think you might get the results you are looking for at a fair price.

Sky Sanders