locked
Stop users navigating directly to a resource via IIS RRS feed

  • Question

  • User-321544978 posted

    Not 100% sure if this is the correct forum but I have the following question. 

    If I am storing uploaded videos in a folder how do I secure the videos. I need to do two things. 

    Firstly users should only be able to view videos that they have been assigned to. This is done by having an asp.net page the displays the video. This requires that users have authorisation to the video directory via the web.config. 

    Secondly ensure users can not navigate directly to the video. EG. www.website.com/uploads/video1.mp4. Because users have authorisation to the video directory than can simply bypass the video displaying web page and navigate to the video. This is a security risk as we do not want user of company a seeing a video by user of company c.

    Is there a way is IIS to stop users navigating directly to specific resources in this case a video.

    Any help to achieve this would be much appreciated.

    1. Make sure that users can not navigate to the video. EG go to 

    1. Ensure only authenticated and authorized users have access to the video.

    Tuesday, July 1, 2014 9:55 PM

Answers

  • User-760709272 posted

    Put the videos in the app_data folder, but in order for them to be downloaded you'll need a handler or something similar to transmit\binary write the file to the client.  Google for downloading files via ashx handler, there are lots of examples.

    You could probably get asp.net to handle all files for you, even video files, so your asp.net pipeline runs for video downloads.  That should let you check they're authorised to access the url first.  Again if you google for mapping static files through asp.net you'll find out how to do that.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, July 1, 2014 10:04 PM