asp.net media protection

Question

Does anyone know a good practice of securing media for asp.net?

I need to host a variety of media that require permission to a view a specific image/video. i.e. a specific user may or may not have permission to view a media file - and this fact may be changed on the fly.

I don't care if they can download a media file that they have access to, I just don't want them to even be aware of items they should not have access to.

I've already considered url obfuscation - this seems quite lame to me.

I have form authenticated users (and I'm not willing to change this).

I would like to keep the media file folder structure unrelated to permissions.

Answer 1

Build an HttpHandler that all media must be accessed through. Then, prior to retrieving the file and sending it down to the user, you can perform any validations that you'd like. Keep all of your media outside of the main wwwroot path, or deny access to that folder using permissions.

More info on this topic here:

http://www.15seconds.com/Issue/020417.htm

Answer 2

I'd suggest a table holding the files to which each user has access:

UserID int
FileID varchar

then a table for your files:

FileID    UniqueIdentifier
FileType  char(4)  <- so you know which extension to use.
etc...

On the hard drive, name the file the FileID (UniqueIdentifier) and the FileType (the extension, eg. .jpg). The fileID in the permissions table will hold the UniqueIdentifier generated in the other table.

You can pass this via the URL knowing with relative safety that the user won't be able to guess the name of any other file.

Update: this is, by the way, much simpler than writing an HttpHandler or dealing with file permissions. However, while the chances of someone guessing another file name are infinitesimal it is not airtight security as one user may give another one access to the file.

Answer 3

I use an xml file like this to set which users/groups have access to a file

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root[
    <!ELEMENT file ANY>
    <!ATTLIST file name ID #REQUIRED>
]>
<root>
    <file name="file.doc" users="155,321" groups="grp5" />
    <file name="file2.doc" users="321" groups="" />
</root>

files are stored above http root so they cannot be accessed by URL.

When a user tries to access GetFile.aspx?file=file.doc I load the XML, get the line with

XmlNode xnFile= XML.GetElementById(wantedFile);

, then I call a function

 HasAccess(Context.User, xnFile);

Which checks if the user is logged in and compares the permissions, and if it is ok for this user to have the file, I read the files from disk and write them out with

FileInfo thisFile = new FileInfo(secretLocation + wantedFile);
Response.Clear();
Response.Buffer = false;
Response.BufferOutput = false;
Response.ClearContent();
Response.ClearHeaders();
Response.AddHeader("Content-Length", thisFile.Length.ToString());
Response.AddHeader("Content-disposition", "filename=" + thisFile.Name);
Response.ContentType = "application/none";
Response.WriteFile(secretLocation + wantedFile);
Response.Close();
Response.End();
Response.ClearContent();
Response.ClearHeaders();

Actually now I have more than a thousand files, and I think of writing the file data to the database as the XML got corrupted twice in 5 years, probably due to crashes or simultaneous use.

Answer 4

brownpaperpackage.aspx?id={guid}

In the Load event of media.aspx, you verify the user is authenticated, then verify the user has the right to view the media, and if they do, then load the media as a stream and feed it to the page's Response as Spikolynn demonstrated.

Why do it this way? Its simple to code and you get all the benefits of ASP.NET and IIS' authentication services, from which you can find the user requesting the media. Its trivial to map that user to an access list for your media objects. And the Page has the request object right there. You're also hiding the name of the media, so you can't tell what's going on from the URL.

How do you keep people from accessing your media directly? Your media files cannot be stored in the IIS virtual directory. If they are, there's a possibility that they can be downloaded directly. You can store them in a database as a byte array (blob) or store them on disk outside of the web virtual directory. Users must go through ASP.NET to access the files

How do you keep track of what users have access to what media? You keep track of your users thorugh asp.net membership. That means each user has an ID in the aspnet_users table. Create a table for your media with an id and a filename (or a blob containing the actual media). Then you just need to create a third table that connects the two. This table would contain a user id and a media id, signifying this user can view this media. With the user id (from asp.net Membership) and the media id (from the URL) you just need to

select count(*) from UserMedia where UserId = @UserGuid and MediaId = @MediaIdFromUrl

and if the count > 0 the user can view the media.

An example of how you'd use the URL:

<asp:image 
  runat="server" 
  ImageUrl="brownpaperpackage.aspx?id=53a2ea4(snip)76ca8b" />

Answer 5

From your comment in the Spikolynn answer

I'm puzzled - how is this different than obfuscation? Would an authenticated user be able to share an image (which they are authorized for) with another authenticated but unauthorized user?

I guess that you try to prevent unauthorized sharing of media.

This is something a lot of companies (Microsoft, Apple, IBM, etc) have put considerable amount of money to solve. The solution was DRM, and now they are removing it, because it failed.

So, my answer is that you can not prevent sharing if the user is willing to put some effort to avoid it.

You can just keep the honest people honest by applying some techniques as Spikolynn or Lusid explain in their answers.