ASP.NET Anonymous User File Permissions

Hi Experts,

Currently I have an ASP.NET forms application that generates pdf files for users (anonymous web users).
These pdf's are stored on the server and an email delivers the pdf to the user.
This system has been happily humming along for almost 3 years now.

Now we want to change this workflow so that the user can "login" and "download" their own files when they need to.
So I know I will need to add a User Register but I dont how I can setup permissions so that users can only download their own files.

It is crucially important that users cannot see each others files.

I can create some sort of security via obfuscation but would rather do this 'properly' as a breach of security would be bad... not very bad but seriously damaging to my future prospects.

Many thanks for your time.


Jonathan KellyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Melih SARICAOwnerCommented:
Best way is to keep track of generated PDF files on SQL table and Show user only they generated.
ofcourse u need to keep username on SQL table
Jonathan KellyAuthor Commented:

Thank you for comment. Can you expand on it a little.
Do you mean I should store the pdf file within the SQL DB and NOT on the filesystem ?

Melih SARICAOwnerCommented:
U can keep it in sql or file system it wont matter.

But U must keep track of the files in SQL(for fast response)  when a user want to download a PDF file. U can select files from sql and list it on ur web page. then when they click the file on page u can redirect the user to the file on file system.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Jonathan KellyAuthor Commented:
I would like to keep the files on the filesystem as this is how we are setup at the moment.

If I do - how do I stop users downloading files that do not belong to them.

Currently the file's are named with a GUID that is also the ORDER ID.
I realise it is highly unlikely that users will accidentally or otherwise download pdf's which are not their own but I would like to prevent the possibility entirely.

Maybe this is not possible with anonymous users in this scenario ?
Melih SARICAOwnerCommented:
What u can do is writing a service that ll send file( not redirecting) can be an ashx file that u ll get GUID as paramater and check user authorization for current download.
Jonathan KellyAuthor Commented:

Can you provide a link to some sample code or relevant material to help me build the service.

Many Thanks,
Melih SARICAOwnerCommented:
here is a good article with good examples


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jonathan KellyAuthor Commented:
Thank you. This looks like it might be something I can use.
I have moved onto another project but I will be coming back to this over the next couple of weeks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.