locked
Restrict access to content on web page RRS feed

  • Question

  • I'm building a web applicaiton which allows users to download zip file:
        - Login.aspx
        - Default.aspx

    Users must login before being redirected to the main page (Default.aspx). At this main page, user can download any zip file posted.

    The problem is that they can distribute the link to the zip files. How can I prevent users from doing so?


    Thursday, March 26, 2009 9:46 PM

Answers

  • Hi EliteCoder,

    First Issue: User Login
    You can use HttpHandler for .aspx extension. In this handler you can check if the user is logged in to your web site.  Once the user logs in you can create a logon token, which you can query later to check user authenticity. If the user is not logged in then you can redirect the user to the Logon page.

    Second Issue: URL for downloading zip file.
    Do not provide URL's for downloading zip file. Instead using server side linkButtons. On click on the button interprete which button is clicked and accordingly allow the user to download the zip file.

    Hope this helps you!
    Sandeep Aparajit | http://sandeep-aparajit.blogspot.com | Mark useful posts as Answer/Helpful.
    Monday, March 30, 2009 5:28 AM
  • Maybe I'm missing something but you could also put all your zip files into:

    /myzipfiles/*.zip

    and in default.aspx, have links to /myzipfiles/one.zip /myzipfiles/two.zip etc

    finally, the web.config add the following:

    <location path="/myzipfiles/">
        <system.web>
          <authorization>
            <deny users="?" />
          </authorization>
        </system.web>
      </location>

    This way, only authenticated users will be able to access files in this location. If you need more info on this, read up on forms authentication. It will save you from having to write a whole lot of code...

    Tuesday, March 31, 2009 1:50 AM

All replies

  • You might try creating a custom HTTP handler or an HTTP module!  Then you can intercept the call to the zip file and interrogate if the user is logged in or not.  If they are not then you can redirect them to your login page.

    http://www.15seconds.com/Issue/020417.htm

    If you don't want to go through this work the even easier way is to never give out the URL to a zip file!  Allow your users to go through a Download.aspx page which can be passed parameters so that you know which file is being requested and then do a server side redirect to the file itself or transfer the content of the file directly in the output.

    Lots of options!
    Friday, March 27, 2009 10:01 PM

  • What I did was to get the 
            Request.QueryString("id")
    and then redirect user to the download file. However, a user can still distribute the 
            download.aspx?id=file1.zip 
    to other users.

    1. To redirect: The actual download path is revealed if user has a download manager to catch the file path.
    2. To tranfer content to output, I believe that users can still see the path. Am I correct?

        Response.AddHeader("Content-Disposition", "attachment; filename=" + fileName);

        Response.WriteFile(filePath + fileName);

        Response.End();





    Friday, March 27, 2009 10:47 PM
  • Hi EliteCoder,

    First Issue: User Login
    You can use HttpHandler for .aspx extension. In this handler you can check if the user is logged in to your web site.  Once the user logs in you can create a logon token, which you can query later to check user authenticity. If the user is not logged in then you can redirect the user to the Logon page.

    Second Issue: URL for downloading zip file.
    Do not provide URL's for downloading zip file. Instead using server side linkButtons. On click on the button interprete which button is clicked and accordingly allow the user to download the zip file.

    Hope this helps you!
    Sandeep Aparajit | http://sandeep-aparajit.blogspot.com | Mark useful posts as Answer/Helpful.
    Monday, March 30, 2009 5:28 AM
  • Maybe I'm missing something but you could also put all your zip files into:

    /myzipfiles/*.zip

    and in default.aspx, have links to /myzipfiles/one.zip /myzipfiles/two.zip etc

    finally, the web.config add the following:

    <location path="/myzipfiles/">
        <system.web>
          <authorization>
            <deny users="?" />
          </authorization>
        </system.web>
      </location>

    This way, only authenticated users will be able to access files in this location. If you need more info on this, read up on forms authentication. It will save you from having to write a whole lot of code...

    Tuesday, March 31, 2009 1:50 AM