Remove From My Forums

How to protect direct access to files

Question
0

Sign in to vote

User186656733 posted

I notice that someone was trying to access some files in my asp.net website directly (such as .js .jpg .config), i.e., not through a .aspx page.

While asp.net protects web.config file, is there a way to protect direct access to other files?

Help most appreciated.

Thursday, November 7, 2013 4:38 PM

All replies

0

Sign in to vote

User-183374066 posted

I notice that someone was trying to access some files in my asp.net website directly (such as .js .jpg

You cannot stop that .. Actually page request images js files same way as we request for some page...

The thing you can do is to put all images and other files in a folder and dont allow access to that folder. Write a module which return files and check in that module rather to send file or not.. than you can request that module to send you files...

Thursday, November 7, 2013 5:01 PM
0

Sign in to vote

User71929859 posted

I notice that someone was trying to access some files in my asp.net website directly (such as .js .jpg .config), i.e., not through a .aspx page.

Not really. But you can do something like below to prevent image leeching

http://www.mikesdotnetting.com/Article/126/ASP.NET-MVC-Prevent-Image-Leeching-with-a-Custom-RouteHandler

Thursday, November 7, 2013 10:34 PM
0

Sign in to vote

User-1199946673 posted

http://www.mikesdotnetting.com/Article/122/Simple-File-Download-Protection-with-ASP.NET

Friday, November 8, 2013 5:01 AM
0

Sign in to vote

User753101303 posted

Hi,

First you have to identify against what you want to protect those files ?

Is this a public site ? How do you see this is not done through an ASPX page ? If public, it is expected that those files are downloaded to the browser so wether or not this is done through a page shoudln't make any difference.

If the site is not public, you'll liekly have to move those files to a folder with IIS user authentication. You could also resue some folders for which downloading content is already disabled (such as App_Data) and serve those resource using a handler (of course an authenticated user will still be able to grab those resources).

Friday, November 8, 2013 7:49 AM
0

Sign in to vote

User186656733 posted

How do you see this is not done through an ASPX page ?

I log every request into a database file. Among other information I include the "UrlReferrer". In this case it is Nothing.

Friday, November 8, 2013 9:23 PM
0

Sign in to vote

User186656733 posted

I read the blog you recommended - thanks.

My site is not MVC, so I would have to adapt the code. I guess create HttpHandler for each file type I want to protect, then check Request.UrlReferrer - if Nothing, the file is being requested without a .aspx page, and return some kind of error (?)

Does that sound reasonable?

Friday, November 8, 2013 9:28 PM
0

Sign in to vote
User-183374066 posted

I am assuming that you have implemented membership that ship with default template

First you need to stop anonymous access to your files folder. You can do it quickly by adding some configurations

<location path="FolderPath"> <system.web> <authorization> <allow users="?"/> </authorization> </system.web> </location>

This will meet your requirement.

if you want to apply any further logic then you can add a handler which handle file download

http://stackoverflow.com/questions/33693553/asp-net-mvc-secure-root-folder-only-for-authorized-users
Wednesday, July 27, 2016 10:48 AM
0

Sign in to vote

User186656733 posted

Thanks, Nasser, this helps.

Is "Folderpath" relative? absolute? Path on disk?

Wednesday, July 27, 2016 1:48 PM

Asked by:

How to protect direct access to files

Question

All replies