1

I am uploading documents such as excel, pdf, word, ppt in asp.net. How can I make it secure.

Suppose I have a website www.example.com and I have uploaded docs in "Files" folder in root directory. the name of a file I have uploaded is 3828392839.pdf and if enter "www.example.com/Files/3828392839.pdf" url in address bar then it allows to open and download docs. I need If there is a valid logged in user then it allows to open or download the files.

Shekhar Dalvi
  • 209
  • 6
  • 15
  • You upload to a location which is NOT open to the internet. – Nick.Mc Sep 16 '14 at 10:39
  • [how-to-prevent-accessing-unauthorized-user-to-resource-such-as-pdf-file-in-host](http://stackoverflow.com/questions/2340422/how-to-prevent-accessing-unauthorized-user-to-resource-such-as-pdf-file-in-host) – Nagaraj Tantri Sep 16 '14 at 10:40
  • I've answered this at [Prevent a file (pdf) from being served in asp.net](http://stackoverflow.com/questions/14144958/prevent-a-file-pdf-from-being-served-in-asp-net). You'll just need `` to block anyone who is not logged in, and add handlers for your other file types. – MikeSmithDev Sep 16 '14 at 11:57

5 Answers5

1

You will have to create valid folder structure for this purpose while saving the file.

Eg. If user with userID 20052 logged in and uploads the file. Then file path should be:

Files/20052/3828392839.pdf

Here i have created foldername same as userid to save the uploaded file.

While opening the file you will have to compare the foldername i.e. 20052 and loggedin userid.

If they are same then allow to download the file.

C Sharper
  • 8,284
  • 26
  • 88
  • 151
  • 1
    But the static files are not always managed by asp.net PIPE .So you need some configuration to work – Tareq Sep 16 '14 at 10:58
0

You should implement proper authentication and authorization in asp.net site for your requirement.

To learn more go through this links

ssilas777
  • 9,672
  • 4
  • 45
  • 68
0

Pretty simple. Create a normal ASP.NET page. Do your authetnication however you want to do that, if they pass authentication, send the file to the response as described here...

How to send file in HttpResponse?

Alternatively if they do not pass authentication, don't send the file instead respond with some html like "Access Denied"

Community
  • 1
  • 1
Mick
  • 6,527
  • 4
  • 52
  • 67
0

You can secure this by creating permissions to documents folder. This means you need permission to upload files and to download as well.

For Simple windows authentication: Create reader and writer roles as local user/group. For Basic Authentication: Best is to use database authentication for roles.

You need to check IIS apppool is configured correctly if you are using IIS7.0

meetkichu
  • 131
  • 1
  • 6
0

If your are using IIS 7+ see this question : How do I protect static files with ASP.NET form authentication on IIS 7.5? .

For IIS 6 you can put the files in app_data folder and you need to make a handler to serve the files .

Community
  • 1
  • 1
Tareq
  • 1,397
  • 27
  • 28