[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1018
  • Last Modified:

How to prevent direct access to the files on website?

We have an internal website (.Net with SQL as backend) which requires users to login before they can enter and use the site. One of the features is that it allows to download files once the user is logged in. I noticed if I know the full path of the URL to a specific file such as www.testsite.com/download/abc.doc I can directly download the file without having to login...is there a way to prevent this behaviour?

4 Solutions
Sounds like what you would want to do is move your documents out of the root website folder into an unreachable folder (by web) and create a script (language pending on your setup) that would be able to access the files and deliver them to the user if they meet your requirements. Im not familar with ASP but believe there are already scripts like this for PHP. Maybe someone familar with ASP can chime in if they know of one.
Could you create an application pool that uses a low level user on the IIS server? Then only grant access to the download folder to that low level user. That way, they can only get access to the folder when they have been succesffully authenticated by the website?

That may screw up your forms authentication though. Just a thought.
I've attached code in classic ASP that use ADO stream to stream file to user. With this code, files can be place in any folder under IIS then uncheck read/write/directory browsing for that folder. In ASP.NET same concept can be applied only difference is you might need to apply folder permission to ASPNET worker process account.
Response.Buffer = True
Server.ScriptTimeout = 30000 
strFileName = Request("FileName")
'perform access control here, if user not logged in redirect them elsewhere
Response.ContentType = "application/x-unknown"
strFilePath = Server.Mappath("FilesFolder") & "\" & strFileName
Response.AddHeader "Content-Disposition", "attachment; filename=" & strFileName
Set adoStream = CreateObject("ADODB.Stream") 
intChunkSize = 2048 
adoStream.Type = 1 
intFileSize = adoStream.Size 
Response.AddHeader "Content-Length", intFileSize 
For i = 1 To intFileSize \ intChunkSize 
    If Not Response.IsClientConnected Then Exit For 
    Response.BinaryWrite adoStream.Read(intChunkSize) 
If intFileSize Mod intChunkSize > 0 Then 
    If Response.IsClientConnected Then
        Response.BinaryWrite adoStream.Read(intFileSize Mod intChunkSize) 
    End If 
End If 
Set adoStream = Nothing 

Open in new window

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Rainbow002Author Commented:
Thanks guys for responding but seems like this is something for developers who built the application to figure out...?
I was wondering if there was any settings on the folder permissions or IIS that can be turned on/off to prevent direct access to the files without authentication from user?
Please advise!
1. After the users log in, what security context are they logging in under? Look at the security configuration in the virtual directory in the IIS console to determine this.
2. If they are running under windows authentication, then simply restrict the download folder on the IIS server to only allow their windows accounts access to the folder.
3. If they are not (and I suspect they are not since the app is using forms authentication), then you will probably need some help from the developers to set up the security on the download folder appropriately.
1. IUSR<<ComputerName>>
2. IWAM<<ComputerName>>
3. Network Service

1 and 2 are for asp code in IIS 6.0 and 3 point are for .net coded page.

Remove them you no one will be able to access these files/folder where you apply.

You can add or check FTP user must remain on that folder as you have to upload file's to folder

let me know if that resolves your issue


Rainbow002Author Commented:
Thanks guys! I figure I'd need developers input to go about this.

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now