tags:

views:

38

answers:

4
+2  Q: 

Securing Individual Files in ASP.NET

I have a scenario where a user will have access to a one-time-url. When the user clicks on the URL, specific files will be available to that user.

I have many files on the site but would only like certain files to be accessible by that user.

I have though about generating an authenticated cookie and using forms based auth and applying permissions to a certain folder, but I need authorization on indiviual files. and the files will constintly be changing.

What would be the best way to give a user only access to specific files? (I won't display the other files, but I still do not want other files available if they are typed in the URL)

+1  A: 

I would provide an abstraction around the actual file retrieval. That way the user never sees file name. Something like www.example.com/File.aspx?id=SOMERANDOMGUID

That RANDOMGUID could reference a file in the back end.

Dustin Laine  2010-03-09 17:59:57
+3  A: 

I would create an .ashx (handler file) and have that serve the files to the user (load into memory and then write the contents out by pushing the file to the content stream). That way the end user never has permissions to the actual files on the system but can still access them. Your code can then control when and how long each file is available to a user.

Kevin  2010-03-09 18:00:28
@eli: Like Kevin says you should use a handler. I have posted a similar/related question. http://stackoverflow.com/questions/1958574/asp-net-file-downloading-track-downloaded-size . Hope those answers will help you
ram  2010-03-09 18:03:43
Yes a handler is a perfect scenario. It would work exactly as my suggestion.
Dustin Laine  2010-03-09 18:08:34
A: 

If you have lots of disk space, one way to accomplish this is to copy the files to a randomly-generated folder, so that the URL to a user's files is unique for each user.

Dave Swersky  2010-03-09 18:01:53
A: 

I think it would be easier if your files are associated with an ID and the path is kept in the database. This way you can pull the files using the ID.

azamsharp  2010-03-10 01:34:29

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps