Answered by:
Prevent user from direct access to a folder

Question
-
User895691971 posted
I have a website which includes some data that must not be directly accessible by the client. I have that inside the folder as
root |-Confidential |-Test.txt |- web.confid |- _PageStart.cshtml web.config
..what I want to do is, to deny the access to the folder Confidential as a whole by the user, so that all of the content, is accessed directly would be redirected somewhere to shown a simple 404.
I have even tried using the web.config file as there was a solution in Stack Overflow, to create a new web.config file and then write this to it.
<?xml version="1.0"?> <configuration> <system.web> <authorization> <allow users="admin" /> <deny users="*" /> </authorization> </system.web> </configuration>
But it doesn't work for me. Then I tried using another method by replacing the name of the file, and writing it as _Test.txt. But I guess, ASP.NET only controls the .cshtml files and other ASP.NET files to be hidden this way.
Another method applied was, setting the error code to 404 by creating a new page called_PageStart.cshtml and then writing this code
@{ Response.StatusCode = 404; }
..but again! The page was directly accessible. After all these methods, I came here, to find a solution to this problem. How can I deny the access to all of the file or the folder as a whole in ASP.NET.
Wednesday, September 3, 2014 6:24 AM
Answers
-
User895691971 posted
Solution, add
<security> <requestFiltering> <hiddenSegments> <add segment="folderName"/> </hiddenSegments> </requestFiltering> </security>
..to the system.webServer section and it will result in a 404.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Wednesday, September 3, 2014 8:10 AM -
User-821857111 posted
App_Data is protected by ASP.NET Request Filtering. You will have to create a handler of some kind to access the content of App_Data or any folder that you protect using Request filtering. Then you perform authentication in the handler.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Wednesday, September 3, 2014 12:17 PM
All replies
-
User895691971 posted
Solution, add
<security> <requestFiltering> <hiddenSegments> <add segment="folderName"/> </hiddenSegments> </requestFiltering> </security>
..to the system.webServer section and it will result in a 404.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Wednesday, September 3, 2014 8:10 AM -
User-821857111 posted
By default, static content is not protected by forms authentication within an ASP.NET application. If your site is running in integrated mode on IIS 7 or above, you can make a change to the web.config file to change this. Add the following to your web.config file:
<system.webServer> <modules> <remove name="FormsAuthenticationModule" /> <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" /> <remove name="UrlAuthorization" /> <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" /> <remove name="DefaultAuthentication" /> <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" /> </modules> </system.webServer>
You also need to add the following to protect the Confidential folder:
<location path="Confidential"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location>
You should add that to the <configuration> section. Then you just need to ensure your app is set up to use Forms authentication:
<system.web> <authentication mode="Forms" /> </system.web>
See this for more information on Integrated Pipeline: http://www.iis.net/learn/application-frameworks/building-and-running-aspnet-applications/how-to-take-advantage-of-the-iis-integrated-pipeline
Wednesday, September 3, 2014 8:28 AM -
User-821857111 posted
Solution, add
<security> <requestFiltering> <hiddenSegments> <add segment="folderName"/> </hiddenSegments> </requestFiltering> </security>
..to the system.webServer section and it will result in a 404.
That will work if you don't want anyone to be able to access the static content of the folder. And I mean anyone. Your OP suggests that you might want an authorised person to be able to access the content in which case my reply might help.
Wednesday, September 3, 2014 8:33 AM -
User895691971 posted
Afzaal.Ahmad.Zeeshan
Solution, add
<security> <requestFiltering> <hiddenSegments> <add segment="folderName"/> </hiddenSegments> </requestFiltering> </security>
..to the system.webServer section and it will result in a 404.
That will work if you don't want anyone to be able to access the static content of the folder. And I mean anyone. Your OP suggests that you might want an authorised person to be able to access the content in which case my reply might help.
Yes, I did check that thing out and it was anyone.
But I found that the App_Data folder is a better way of doing this. Each and every content present inside the folder if directly accessed gets a 404 error. That folder has the same thing? Deny All users thing or a seperate control by ASP.NET? So, I changed the idea of doing this thing by pasting the stuff inside the App_Data folder and let the ASP.NET handle it.
And yes, I want to ignore all of the users from accessing the data in that folder. I will create a UI for the admins (or as a whole the team of mine) to work with the files in that folder because server has the access to the file and contents.
Wednesday, September 3, 2014 10:39 AM -
User-821857111 posted
App_Data is protected by ASP.NET Request Filtering. You will have to create a handler of some kind to access the content of App_Data or any folder that you protect using Request filtering. Then you perform authentication in the handler.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Wednesday, September 3, 2014 12:17 PM