In an asp.net web forms site, I would like to disallow a user from browsing directly to files stored in a directory. For example, i have PDFs being stored in a directory, if the user knows the path, they can simply type it in the browser address bar and pull up the PDF.
Looking for ideas on how to stop that unless they are logged in under a specific id that matches the directory name.
Any ideas appreciated.
In IIS, go and select your Web Site, or even a specific application.
Then, nn the right side, you will find 'Directory Browsing' double-click and you will be able to disable/enable directory browsing.
In your web.config file, add this:
<configuration>
<location path="Secured">
<system.webServer>
<directoryBrowse enabled="false" />
</system.webServer>
</location>
</configuration>
how to disable directory browsing unless they are logged in under a specific id
I assume this is ASP.NET Web Form.
If you use ASP.NET Membership Provider or Form Authentication, you could configure Authorization in web.config for all users and all files.
However, if users and files are constantly changing, above approach won't work.
That becomes complex. I store users and their authorized files in persistent storage like database. Then store the actual files in App_Data folder (or private blob storage). IIS wont' serve the files stored inside App_Data folder. Then every file request goes through Generic Handler such as FileHandler.ashx?filename=sample.pdf.
