Securing a folder in ASP.NET web directory

Question

I worked long time back on a website and it has been working fine, recently a problem has been reported, which I need to go through.

In my site there is a folder named repository, which contains files like word and PDF documents and ideally only logged in users are allowed to download them but now it has been observed that anyone who is not logged into the website, can even also download them :(

Is there any wayout to handle it without moving the folder out of the web directory? Like making that folder password protected and only my pages can access the content, any code sample or link will be of high use.

My web application is in ASP.NET 2.0 with C# and server has IIS 6.0.

Thanks in Advance

Edit:

My Web.Config has these tags in it:

<authentication mode="Forms">
  <forms slidingExpiration="true" loginUrl="Login.aspx" defaultUrl="HomePage.aspx" name=".ASPXMAIN" timeout="30">
  </forms>
</authentication>
<authorization>
  <deny users="?" />
</authorization>

I wonder y people vote the question, without giving/commenting any reason for the action, so that the author can improve him/her self. — Imran Balouch, Sep 07 '12 at 13:39

score 5 · Accepted Answer · edited May 23 '17 at 11:51

5

Use the <location /> tags in the web.config, http://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.71).aspx

  <location path="content">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

See this answer for more links to msdn documentation: https://stackoverflow.com/a/4280257/426894

edited May 23 '17 at 11:51

Community

1
1

answered Sep 07 '12 at 13:28

asawyer

17,642
8
59
87

Thanks a lot for your answer, will implement and check it and will get back to you if I find any problem. – Imran Balouch Sep 07 '12 at 13:41
I have put an edit section in my question with the tags in my web.config, shouldn't must stop the unauthorized users from accessing the folder or I am not understanding it properly? – Imran Balouch Sep 07 '12 at 13:47
@ImranBalouch I just posted a simple bit of example usage, not something exactly what you need. Mostly because I have no idea what kind of roles and such you want. Look at the answer I linked, it has msdn docs for everything so you can customize the config exactly as you need it. – asawyer Sep 07 '12 at 13:48

score 0 · Answer 2 · answered Sep 07 '12 at 13:29

You can try with this config in your Web.config (location permit you to define path)

This sample use roles in order to design profil.

Also use users in order to design user.

<location path="~/MembersOnly" > 
  <system.web> 
    <authorization> 
      <allow roles="Members"/> 
      <deny users="?" /> 
    </authorization> 
  </system.web> 
</location>

Securing a folder in ASP.NET web directory

2 Answers2

Linked