tags:

views:

46

answers:

1
+3  Q: 

How do I prevent unauthorized attempts to access a specific file type?

This is really a couple of questions about preventing unauthorized attempts to access a specific file type. Here go the questions:

  1. How do I prevent users from directly requesting a type of file? Do I write an HTTP handler?
  2. After preventing a direct download, can my app still explicitly serve that file type? How?
+3  A: 

The way to do this is to:

  1. Put all your tif files in a non publicly accessible location
  2. Create an IHttpHandler to serve these tif files based on authentication (or whatever limitation you choose).
  3. (Optional) Set up a rewrite rule so that all tif requests go through your IHttpHandler. This creates nice URL's again.
Paul Mason  2010-02-17 01:58:07
Note that there is no bullet-proof way to prevent people from requesting a file while allowing your app on their machine to request it.
SLaks  2010-02-17 01:59:14
There is... you're web app could be in c:\inetpub\wwwroot, whereas your tif files could be in c:\webdata\. Then it is just a matter of setting appropriate application pool permissions. At least, I thought you could do it that way? Of course I could be misinterpreting the initial question :)
Paul Mason  2010-02-17 02:01:36
I think SLaks means that if you hard-code a key in your client app, users will find it.
Matthew Flaschen  2010-02-17 02:03:18
but... when the browser renders the image, it can still be copied and taken from the browser. once it's rendered (even through an iHttpHandler), it is considered a physical fine (even if it's not).
rockinthesixstring  2010-02-17 02:04:25
Hmmm; all valid points. I interpreted the question that they were simply wanting to prevent unauthorised requests to a file type (i.e. they must have passed authentication or something). Could be wrong of course.
Paul Mason  2010-02-17 02:09:28
@Paul Mason - You are correct. Just prevent unauthorized attempts to access a specific file type.
flipdoubt  2010-02-17 02:18:12

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps