Re: Securing access to other files in an ASP.NET application
From: Steve C. Orr [MVP, MCSD] (Steve_at_Orr.net)
Date: Fri, 12 Mar 2004 11:59:21 -0800
Yes, you've got the idea.
Standard windows file/folder permissions should be sufficient to protect the
files from direct access.
-- I hope this helps, Steve C. Orr, MCSD, MVP http://Steve.Orr.net "NWx" <email@example.com> wrote in message news:OOFsbyBCEHA.2628@TK2MSFTNGP11.phx.gbl... > Hi, > > > Otherwise you'll probably store your restricted files in a private folder > > and use Response.Writefile once you've determined the user is authorized: > > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemwebhttpresponseclasswritefiletopic.asp > > So, to use this technique, instead of putting an hardcoded anchor in my > template column, should I put a hyperlink button with appropriate > parameters, so when user click it, it will trigger a server-side event which > will execute a response.writefile, passing the desired file back to browser? > > How can I make a folder restricted? Should I do this using WinNT folder > security features, or put it outside of virtual web folder (in a folder not > accessible from the web site)? > > Which approach will be better? > > Thank you very much for your answer. > > > > > > > > > > -- > > I hope this helps, > > Steve C. Orr, MCSD, MVP > > http://Steve.Orr.net > > > > > > "NWx" <firstname.lastname@example.org> wrote in message > > news:uNW0rvACEHA.3928@TK2MSFTNGP09.phx.gbl... > > > Hi, > > > > > > I have an ASP.NET app with forms security. > > > User are allowed to upload files (which are "attached" to user accounts > in > > > database) > > > Documents are saved in a subfolder of the application, then in a > > > sub-subfolder with the same name as user account. > > > > > > For example, for user jo, the document will be saved in > > > documents/jo/a_picture.jpg > > > Then after logon, user can see all his attached documents in a datagrid, > > > with a link to open/download > > > > > > But, if user remember the url without being logged in, and type it into > > the > > > browser's address bar, he/she can open / download the document. > > > > > > How can I extend the security features of ASP.NET form's security to > > protect > > > not only ASPX pages, but also all other documents in application's > virtual > > > folder and subfolders? > > > > > > Thank you > > > > > > > > > > > > > > >