Re: Securing access to other files in an ASP.NET application

From: Steve C. Orr [MVP, MCSD] (Steve_at_Orr.net)
Date: 03/12/04


Date: Fri, 12 Mar 2004 11:59:21 -0800

Yes, you've got the idea.
Standard windows file/folder permissions should be sufficient to protect the
files from direct access.

-- 
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
"NWx" <test@test.com> wrote in message
news:OOFsbyBCEHA.2628@TK2MSFTNGP11.phx.gbl...
> Hi,
>
> > Otherwise you'll probably store your restricted files in a private
folder
> > and use Response.Writefile once you've determined the user is
authorized:
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemwebhttpresponseclasswritefiletopic.asp
>
> So, to use this technique, instead of putting an hardcoded anchor in my
> template column, should I put a hyperlink button with appropriate
> parameters, so when user click it, it will trigger a server-side event
which
> will execute a response.writefile, passing the desired file back to
browser?
>
> How can I make a folder restricted? Should I do this using WinNT folder
> security features, or put it outside of virtual web folder (in a folder
not
> accessible from the web site)?
>
> Which approach will be better?
>
> Thank you very much for your answer.
>
>
>
>
>
>
> >
> > -- 
> > I hope this helps,
> > Steve C. Orr, MCSD, MVP
> > http://Steve.Orr.net
> >
> >
> > "NWx" <test@test.com> wrote in message
> > news:uNW0rvACEHA.3928@TK2MSFTNGP09.phx.gbl...
> > > Hi,
> > >
> > > I have an ASP.NET app with forms security.
> > > User are allowed to upload files (which are "attached" to user
accounts
> in
> > > database)
> > > Documents are saved in a subfolder of the application, then in a
> > > sub-subfolder with the same name as user account.
> > >
> > > For example, for user jo, the document will be saved in
> > > documents/jo/a_picture.jpg
> > > Then after logon, user can see all his attached documents in a
datagrid,
> > > with a link to open/download
> > >
> > > But, if user remember the url without being logged in, and type it
into
> > the
> > > browser's address bar, he/she can open / download the document.
> > >
> > > How can I extend the security features of ASP.NET form's security to
> > protect
> > > not only ASPX pages, but also all other documents in application's
> virtual
> > > folder and subfolders?
> > >
> > > Thank you
> > >
> > >
> > >
> >
> >
>
>