0

How do I go about securing files that are stored on the server? We have an ASP.NET app which generates PDFs. These are not stored in the wwwroot folder but in another folder i.e. C:\inetpub\data. This provides more security but maybe not enough. The ASP.NET/IIS process will need write access to this folder so it generate the PDFs there.

Once the pdf is generated, it can be viewed using an ASP.NET form called viewpdf.aspx with the file to be viewed add to the query string like so viewpdf.aspx?FILE=mynewfile.pdf. This is loaded from a gridview.

The full path to C:\inetpub\data is resolved and loaded in the Page_load event of the viewer page. Now I'm wondering how to secure this. Anybody could just view the file. Not by entering in the URL, as it won't been seen by IIS (its not in wwwroot), but could change the querystring in the viewpdf page.

How do I stop anybody hacking this?

jaffa
  • 26,770
  • 50
  • 178
  • 289
  • 3
    Encrypt your querystring values: http://stackoverflow.com/questions/240713/how-can-i-encrypt-a-querystring-in-asp-net – LesterDove Apr 23 '10 at 19:40

3 Answers3

2

First, do not use the name of the file in the query string. Use some other identifier; preferably a non-guessable id. One example is a base 64 encoded guid.

Second, the viewpdf.aspx file should implement your security model to test whether the user who is accessing the link is authorized to view the file.

Third, you might consider storing the actual file somewhere else. SQL 2008 has a FILESTREAM data type which can push the actual file data to a file system folder and seems to work pretty well.

NotMe
  • 87,343
  • 27
  • 171
  • 245
1

You lock down viewpdf.aspx using some form of authentication (like forms authentication) otherwise anyone who has access to the querystring (encrypted or not) will be able to view the file. Do you have a security model to determine who has access to the file?

Raj Kaimal
  • 8,304
  • 27
  • 18
1

What i use to do is, I apologies cause i'm no native speaker:

  • When saving pdf, rename it to a guid like name (use System.Guid)
  • create a table with the generated names and keep the original name there, in case you need it later.
  • When serving pdf's make another page that redirects with Server.Transfer to your aspx page, and make your searching by the id of the record, not names
Jhonny D. Cano -Leftware-
  • 17,663
  • 14
  • 81
  • 103