How to protect a specific file using VB.net, forms authentication/authorization

Hi Folks,
      I have a .zip file I want to allow authorized users to download. I’m using asp.net, (VB) and forms authentication.

My web config is set up like so:

<configuration>
    <system.web>
        <authentication mode="Forms">
            <forms name="dlAuth" loginUrl="login.aspx" protection="All" path="/" />    
        </authentication>

         <authorization>
                <deny users="?" />
         </authorization>
         
         <customErrors mode="Off" />

        <sessionState mode="Off" />
         <globalization fileEncoding="utf-8" requestEncoding="utf-8" responseEncoding="utf-8"/>
   
    </system.web>
   
    <location path="file.zip">
        <system.web>
         <authorization>
                <deny users="?" />
         </authorization>
        </system.web>
    </location>
</configuration>

This all works fine and users need to login except when you hit the file.zip directly like:

http://localhost/downloads/file.zip

The File download window pops up and I’m allowed to download the file.

How do I protect this file and only allow it to be downloaded when the user logs in? Thanks
ewarmourAsked:
Who is Participating?
 
mmarinovConnect With a Mentor Commented:
Hi ewarmour,

actually the protection you have to do within the IIS
check this article about protecting files with a certain extension : http://www.aspnetworld.com/articles/2004020403.aspx

Regards!
B..M
mmarinov
0
 
Jeff CertainCommented:
Try putting a web.config file that blocks unauthorized users in the download directory. This only needs to be a partial config file:
<configuration>
    <system.web>
        <!-- security -->
        <authorization>
           <deny users="?" />
           <allow users="*" />
        </authorization>
    </system.web>
</configuration>

0
 
ewarmourAuthor Commented:

Thanks for the reply, I've tried what you suggest with no luck. I can still access the zip file directly.
0
 
ewarmourAuthor Commented:
I configured IIS to filter zip files as described in the article:

http://www.dotnetjunkies.com/Article/F32DFC79-3AE7-4D9D-BF1D-91B4B6D130C7.dcik

Then simply added this to my web config:

    <location path="file.zip">
        <system.web>
         <authorization>
                <deny users="?" />
         </authorization>
        </system.web>
    </location>

Works like a charm.
0
 
ewarmourAuthor Commented:
and thanks mmarinov!
0
All Courses

From novice to tech pro — start learning today.