Working in an asp.net 2.0 (VB) environment, I already have code that can generate an excel file from a database for a particular "user" of the website. I want to be able to launch this report generator on demand, and then after the file has been generated, allow the user to download this file.
How can I do this securely, and not just dumping the files off in some publicly readable directory?
Note: Related to this question, but the part I'm really interested in was never answered.
Instead of putting it in a public directory you could create an HTTP Handler which allows you to do authorization.
You can create an handler either by compiling and registering in web.config or by creating an ashx page. Then your page would authorize the user, and then write the contents to the response.
If you need session state be sure to inherit from IRequiresSessionState.
I'm a C# guy so here's a sample in that:
public class DownloadFile : IHttpHandler, System.Web.SessionState.IRequiresSessionState
{
public void ProcessRequest (HttpContext context) {
//Validate user is authenticiated and authorized.
if (context.Request.IsAuthenticated)
{
//This is your own custom authorization mechanism
if (AuthorizeUser(context.Request.User))
{
//not sure what the correct content type is. This is probally wrong
context.Response.ContentType = "application/xls";
//Setting size is optional
context.Response.AddHeader("Content-Disposition",
"attachment; filename=" + downloadName + "; size=" + myExcellFile.Length.ToString());
context.Response.BinaryWrite(myExcellFile);
}
}
Use an Http handler (*.ashx file). Move your code to generate the file to the handler, check security there before generating the file, set the appropriate content-type and content-disposition headers, and use Response.BinaryWrite to send your file directly to the browser. Never put it on your server's file system.
Can you...?
This would allows you to have those urls time out or even to regenerate the excel spreadsheet on the fly if needed.