Prevent user from direct access to a folder

Question

User895691971 posted

I have a website which includes some data that must not be directly accessible by the client. I have that inside the folder as

root
|-Confidential
  |-Test.txt
  |- web.confid
  |- _PageStart.cshtml
web.config

..what I want to do is, to deny the access to the folder Confidential as a whole by the user, so that all of the content, is accessed directly would be redirected somewhere to shown a simple 404.

I have even tried using the web.config file as there was a solution in Stack Overflow, to create a new web.config file and then write this to it.

<?xml version="1.0"?>
<configuration>
    <system.web>
      <authorization>
        <allow users="admin" />
        <deny users="*" />
      </authorization>
    </system.web>
</configuration>

But it doesn't work for me. Then I tried using another method by replacing the name of the file, and writing it as _Test.txt. But I guess, ASP.NET only controls the .cshtml files and other ASP.NET files to be hidden this way.

Another method applied was, setting the error code to 404 by creating a new page called_PageStart.cshtml and then writing this code

@{
    Response.StatusCode = 404;
}

..but again! The page was directly accessible. After all these methods, I came here, to find a solution to this problem. How can I deny the access to all of the file or the folder as a whole in ASP.NET.

Answer 1

User895691971 posted

Solution, add

<security>
  <requestFiltering>
    <hiddenSegments>
      <add segment="folderName"/>
    </hiddenSegments>
  </requestFiltering>
</security>

..to the system.webServer section and it will result in a 404.

Answer 2

User-821857111 posted

By default, static content is not protected by forms authentication within an ASP.NET application. If your site is running in integrated mode on IIS 7 or above, you can make a change to the web.config file to change this. Add the following to your web.config file:

<system.webServer> 
<modules> 
    <remove name="FormsAuthenticationModule" />    
   <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />    
    <remove name="UrlAuthorization" />    
    <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />    
    <remove name="DefaultAuthentication" />    
    <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />    
</modules> 
</system.webServer> 

You also need to add the following to protect the Confidential folder:

<location path="Confidential">
    <system.web>
        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>
</location>

You should add that to the <configuration> section. Then you just need to ensure your app is set up to use Forms authentication:

<system.web>
    <authentication mode="Forms" />
</system.web>

See this for more information on Integrated Pipeline: http://www.iis.net/learn/application-frameworks/building-and-running-aspnet-applications/how-to-take-advantage-of-the-iis-integrated-pipeline

Answer 3

User-821857111 posted

Solution, add

<security>
  <requestFiltering>
    <hiddenSegments>
      <add segment="folderName"/>
    </hiddenSegments>
  </requestFiltering>
</security>

..to the system.webServer section and it will result in a 404.

That will work if you don't want anyone to be able to access the static content of the folder. And I mean anyone. Your OP suggests that you might want an authorised person to be able to access the content in which case my reply might help. 

Answer 4

User895691971 posted

Afzaal.Ahmad.Zeeshan

Solution, add

<security>
  <requestFiltering>
    <hiddenSegments>
      <add segment="folderName"/>
    </hiddenSegments>
  </requestFiltering>
</security>

..to the system.webServer section and it will result in a 404.

That will work if you don't want anyone to be able to access the static content of the folder. And I mean anyone. Your OP suggests that you might want an authorised person to be able to access the content in which case my reply might help. 

Yes, I did check that thing out and it was anyone. 

But I found that the App_Data folder is a better way of doing this. Each and every content present inside the folder if directly accessed gets a 404 error. That folder has the same thing? Deny All users thing or a seperate control by ASP.NET? So, I changed the idea of doing this thing by pasting the stuff inside the App_Data folder and let the ASP.NET handle it.

And yes, I want to ignore all of the users from accessing the data in that folder. I will create a UI for the admins (or as a whole the team of mine) to work with the files in that folder because server has the access to the file and contents. 

Answer 5

User-821857111 posted

App_Data is protected by ASP.NET Request Filtering. You will have to create a handler of some kind to access the content of App_Data or any folder that you protect using Request filtering. Then you perform authentication in the handler.