How to prevent direct access to the files on website?

Hi,
We have an internal website (.Net with SQL as backend) which requires users to login before they can enter and use the site. One of the features is that it allows to download files once the user is logged in. I noticed if I know the full path of the URL to a specific file such as www.testsite.com/download/abc.doc I can directly download the file without having to login...is there a way to prevent this behaviour?

Thanks
Rainbow002Asked:
Who is Participating?
 
dro_lawConnect With a Mentor Commented:
Could you create an application pool that uses a low level user on the IIS server? Then only grant access to the download folder to that low level user. That way, they can only get access to the folder when they have been succesffully authenticated by the website?

That may screw up your forms authentication though. Just a thought.
0
 
dping28Connect With a Mentor Commented:
Sounds like what you would want to do is move your documents out of the root website folder into an unreachable folder (by web) and create a script (language pending on your setup) that would be able to access the files and deliver them to the user if they meet your requirements. Im not familar with ASP but believe there are already scripts like this for PHP. Maybe someone familar with ASP can chime in if they know of one.
0
 
haoli12345Connect With a Mentor Commented:
I've attached code in classic ASP that use ADO stream to stream file to user. With this code, files can be place in any folder under IIS then uncheck read/write/directory browsing for that folder. In ASP.NET same concept can be applied only difference is you might need to apply folder permission to ASPNET worker process account.
<%@ LANGUAGE="VBSCRIPT" %>
<% 
Response.Buffer = True
Server.ScriptTimeout = 30000 
 
strFileName = Request("FileName")
'perform access control here, if user not logged in redirect them elsewhere
 
Response.ContentType = "application/x-unknown"
 
strFilePath = Server.Mappath("FilesFolder") & "\" & strFileName
Response.AddHeader "Content-Disposition", "attachment; filename=" & strFileName
 
Set adoStream = CreateObject("ADODB.Stream") 
intChunkSize = 2048 
adoStream.Open() 
adoStream.Type = 1 
adoStream.LoadFromFile(strFilePath) 
 
intFileSize = adoStream.Size 
 
Response.AddHeader "Content-Length", intFileSize 
 
For i = 1 To intFileSize \ intChunkSize 
    If Not Response.IsClientConnected Then Exit For 
    Response.BinaryWrite adoStream.Read(intChunkSize) 
Next 
 
If intFileSize Mod intChunkSize > 0 Then 
    If Response.IsClientConnected Then
        Response.BinaryWrite adoStream.Read(intFileSize Mod intChunkSize) 
    End If 
End If 
 
adoStream.Close 
Set adoStream = Nothing 
 
Response.End
%>

Open in new window

0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
Rainbow002Author Commented:
Thanks guys for responding but seems like this is something for developers who built the application to figure out...?
I was wondering if there was any settings on the folder permissions or IIS that can be turned on/off to prevent direct access to the files without authentication from user?
Please advise!
0
 
dro_lawConnect With a Mentor Commented:
1. After the users log in, what security context are they logging in under? Look at the security configuration in the virtual directory in the IIS console to determine this.
2. If they are running under windows authentication, then simply restrict the download folder on the IIS server to only allow their windows accounts access to the folder.
3. If they are not (and I suspect they are not since the app is using forms authentication), then you will probably need some help from the developers to set up the security on the download folder appropriately.
0
 
jaswinder108Commented:
1. IUSR<<ComputerName>>
2. IWAM<<ComputerName>>
3. Network Service

1 and 2 are for asp code in IIS 6.0 and 3 point are for .net coded page.

Remove them you no one will be able to access these files/folder where you apply.

You can add or check FTP user must remain on that folder as you have to upload file's to folder

let me know if that resolves your issue

Thanks

0
 
Rainbow002Author Commented:
Thanks guys! I figure I'd need developers input to go about this.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.