1

i have a folder in my asp.net app conatining doc files that can be accessed only (dowwload) by a certain type of connected users(admin account or permitted other accounts)

how can i do that?
any ideas?
thanks in advance.

Aristos
  • 66,005
  • 16
  • 114
  • 150

3 Answers3

1

The App_Data folder in .NET is protected, and therefore ideal for this very purpose. I normally put sensitive files in here then have a page "ViewDoc.aspx" that performs the security checks and then sends the file to the user (using Response.Write).

James Allen
  • 819
  • 7
  • 12
  • Thanks @James.how can i use Response.write with .doc(.docx) files.can you give me a link to working example. –  Apr 10 '11 at 22:47
  • Sure, here's a couple of links with better detail: [1](http://stackoverflow.com/questions/736301/asp-net-how-to-stream-file-to-user) [2](http://stackoverflow.com/questions/608480/best-way-to-stream-files-in-asp-net). The basic steps are to set the Response.ContentType = "application/msword", get the bytes using something [like this](http://kseesharp.blogspot.com/2007/12/read-file-into-byte-array.html), pass the byte array to Response.Write(...) and call Response.End(). – James Allen Apr 11 '11 at 21:13
1

Put sensitive files outside of web site root, so they can not be accessed by URL.

After that, use this HttpHandler (written in VB.NET) to serve files:

Public NotInheritable Class FileHandler
    Implements IHttpHandler

    Public ReadOnly Property IsReusable() As Boolean Implements System.Web.IHttpHandler.IsReusable
        Get
            Return False
        End Get
    End Property

    Public Sub ProcessRequest(ByVal context As System.Web.HttpContext) Implements System.Web.IHttpHandler.ProcessRequest
        If Not String.IsNullOrEmpty(context.Request.QueryString("FileName")) Then
            Dim fileName As String = context.Request.QueryString("FileName")

            Try


                Dim filesPath As String = "D:\TheFiles\"

                Dim fileInfo As New IO.FileInfo(filesPath & fileName)

                If fileInfo.Exists Then

                    Dim fileExt As String = fileInfo.Extension.Remove(0, 1).ToUpperInvariant


                    If fileExt = "JPG" Then
                        context.Response.ContentType = "image/jpeg"
                    Else
                        context.Response.ContentType = "image/" & fileExt
                    End If

                    context.Response.TransmitFile(fileInfo.FullName)

                End If

            Catch ex As Exception
            End Try

        End If
    End Sub

End Class

and register this handler in your web.config like this:

<httpHandlers>
        <add verb="*" path="secfile.axd" type="MyApp.FileHandler, MyApp" validate="false"/>
    </httpHandlers>

use like this:

<a href="secfile.axd?pic=sample.jpg" />

Remember adding your file types to handler and change response.contenttype by type of your file.

Using a handler is not the only way, you can use context.Response.TransmitFile(fileInfo.FullName) in your aspx file.

Afshin Gh
  • 7,918
  • 2
  • 26
  • 43
  • what is secfile.axd in this case Afshin in the web.config.me i want to protect all files.doc in a folder ./DocFiles/ –  Apr 19 '11 at 17:02
0

A simple way to do this is to NOT put these documents inside a folder of your ASP.NET app and instead, put it somewhere else in the file system that can't be accessed directly from the browser. Then programmatically, you can serve the file to the user if s/he's authorized to do so.

Johnny Oshika
  • 54,741
  • 40
  • 181
  • 275