-1

I have several documents stored in a folder in a project using ASP MVC 5. The HTML link to see the document is:

<a ng-href="~/download/document/{{vm.document}}"><a/>

Then this URL will see it in adress bar: http://localhost:20870/download/document/d47a1c96-e4d7-423b-aa83-76537c392ad2.pdf

For safety I do not want this URL is visible!

Rory McCrossan
  • 331,213
  • 40
  • 305
  • 339
webpalex
  • 11
  • 1
  • If its not in the url, it will not be passed to the method! –  Jul 04 '16 at 08:21
  • You can put htaccess ignore inside you document folder, so no one can reach it alone – zmuci Jul 04 '16 at 08:22
  • 3
    For the download to work the URL has to be publicly available. If you want to restrict access to the file, then it sounds like you need to use a token system where the server reads a provided token and checks that it's valid, before redirecting to the file to be downloaded. – Rory McCrossan Jul 04 '16 at 08:23
  • 1
    If it's about security, the user can always look at the page source to find the secret URL. – gcampbell Jul 04 '16 at 08:23
  • Do you mean the pdf link appears in the status bar at the bottom when mouseover it? – engineforce Jul 04 '16 at 13:03

3 Answers3

2

As others pointed out, URLs are meant to be public. There is no reasonable way to completely hide them from the user.

However, you can use MVC to control access to resources, such as physical files.

By default MVC does not serve physical files, IIS serves them directly. Assuming that your file is physically located in the /download/document/ virtual directory, start by blocking any direct access to the folder through your root web.config file.

<location path="download/document">
    <system.web>
        <authorization>
            <deny users="*" />
        </authorization>
    </system.web>
</location>

This ensures that no user (whether logged in or not) can access the file directly through IIS.

Then, you can use a controller action method in conjunction with the [Authorize] attribute to control who has access to the file.

public class SecureDownloadController : Controller
{
    [Authorize]
    public ActionResult Document(string id)
    {
        return File(@"D:\wwwroot\documents\download\" + id, "application/pdf");
    }
}

The above will allow any logged on user to access the file at the URL http://localhost:20870/securedownload/document/d47a1c96-e4d7-423b-aa83-76537c392ad2.pdf.

IMPORTANT: Never use a real location for the file in the URL. IIS will favor a physical location to an MVC controller action, so if the physical file exists you will get an error. You probably don't want the user to know the physical location of the file anyway.

You could further restrict it to a specific user role or roles by using:

[Authorize(Roles = "Admin,SuperUser")]

Alternatively, you could subclass [Authorize] attribute and use some other way to secure the file, for example, passing a hash code through the HTTP headers.

Another possible alternative: Generate the PDF as a stream rather than using a physical file that is persisted on the disk. This ensures there is no physical path where the file can be accessed - it can only be accessed through a controller action method. It also ensures you never have to clean up a directory of one-time-use PDF files.

References:

Community
  • 1
  • 1
NightOwl888
  • 55,572
  • 24
  • 139
  • 212
0

Dear url hiding will not benefitial because we can know the details of request by pressing F12 on network tab.

enter image description here

Protect your document in a better way. I think role based security will be good and give access to document depends on Request.

Sandip Jaiswal
  • 3,428
  • 2
  • 13
  • 15
-1

You Should Use This

<a href="javascript:void(0)" onclick="location.href='" . $ajax_like_link . "'">Link</a>

Netscape India
  • 11
  • 4