|
Home > Archive > IIS Server Security > May 2004 > How do I protect download files being directly accessed through URL info?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How do I protect download files being directly accessed through URL info?
|
|
| karthik 2004-05-25, 7:33 am |
| Hi all,
I have a basic question.
I intend to create a page from where the user can download a file (exe, xls etc..). The page by itself is protected, requiring the user to logon (it is a simple SQL Server based User ID/Pwd authentication and not Windows logon) before getting on to the pa
ge. But once, the user is on the page, the download URL of the exe is seen. So the next time, the user needs to just type the URL to download the exe.
Are there ways to avoid the user from viewing the URL and downloading the files directly from the URL info. What are the ways in which I can protect my downloadable files?
Any help on this is greatly appreciated.
| |
| David Wang [Msft] 2004-05-25, 7:33 am |
| FYI: This question actually has nothing to do with IIS.
Since you are using custom authentication and authorization, you are
responsible for authenticating and authorizing such resource access
yourself. IIS cannot do it for you since it's your custom scheme.
How people usually do this is to place those download files in some
directory that is NOT accessible via the web, and then use one authenticated
ASP page that uses ADO to stream the files from that directory (upon
successful authentication/authorization) to the browser. Please google for
the many past responses on this (I can't seem to find the link to code that
implements this, at the moment).
You may want to look into ASP.Net's Form based authentication or CustomAuth
on IIS6 (
http://www.microsoft.com/downloads/...&DisplayLang=en )
, which implement form-based authentication schemes that can apply
server-wide instead of requiring an authenticated ASP page acting as a
"proxy" and using ADO to stream data.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"karthik" <anonymous@discussions.microsoft.com> wrote in message
news:CC270977-5AD4-4FF3-B2B3-411FB5AD6696@microsoft.com...
Hi all,
I have a basic question.
I intend to create a page from where the user can download a file (exe, xls
etc..). The page by itself is protected, requiring the user to logon (it is
a simple SQL Server based User ID/Pwd authentication and not Windows logon)
before getting on to the page. But once, the user is on the page, the
download URL of the exe is seen. So the next time, the user needs to just
type the URL to download the exe.
Are there ways to avoid the user from viewing the URL and downloading the
files directly from the URL info. What are the ways in which I can protect
my downloadable files?
Any help on this is greatly appreciated.
| |
| Paul Lynch 2004-05-25, 4:32 pm |
| On Tue, 25 May 2004 02:06:26 -0700, "David Wang [Msft]"
<someone@online.microsoft.com> wrote:
>FYI: This question actually has nothing to do with IIS.
>
>Since you are using custom authentication and authorization, you are
>responsible for authenticating and authorizing such resource access
>yourself. IIS cannot do it for you since it's your custom scheme.
>
>How people usually do this is to place those download files in some
>directory that is NOT accessible via the web, and then use one authenticated
>ASP page that uses ADO to stream the files from that directory (upon
>successful authentication/authorization) to the browser. Please google for
>the many past responses on this (I can't seem to find the link to code that
>implements this, at the moment).
Is it this ?
http://support.microsoft.com/defaul...q301464&SD=MSDN
Regards,
Paul Lynch
MCSE
| |
| Jeff Cochran 2004-05-25, 4:32 pm |
| On Tue, 25 May 2004 01:01:03 -0700, "karthik"
<anonymous@discussions.microsoft.com> wrote:
>I have a basic question.
>I intend to create a page from where the user can download a file (exe, xls etc..). The page by itself is protected, requiring the user to logon (it is a simple SQL Server based User ID/Pwd authentication and not Windows logon) before getting on to the p
age. But once, the user is on the page, the download URL of the exe is seen. So the next time, the user needs to just type the URL to download the exe.
>
>Are there ways to avoid the user from viewing the URL and downloading the files directly from the URL info. What are the ways in which I can protect my downloadable files?
Use a randomized URL for each connection, serve the file from a
database, place it in a password restricted location and issue
passwords, stream it from a location outside the web folder structure,
lots of ways. None of which are IIS related though...
Jeff
| |
| David Wang [Msft] 2004-05-30, 11:52 am |
| Hmm, not exactly what I was thinking of. It is on iisfaq.com/aspfaq.com
somewhere, where it explains how to use ADO to stream files outside the URL
namespaces (for protection in a custom authentication scenario) to the
client, and then map all browser requests through an ASP page that performs
custom authentication and controls the ADO connection to stream files.
This can be trivially done in ASP.Net to take advantage of its Forms
authentication, and with Whidbey, it will be possible to write custom
authentication modules inside of ASP.Net and apply it to any file on IIS.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Paul Lynch" <paul.lynch@nospam.com> wrote in message
news:8dd6b0dluceshp7e9oq4njbopvgkr7i7rg@
4ax.com...
On Tue, 25 May 2004 02:06:26 -0700, "David Wang [Msft]"
<someone@online.microsoft.com> wrote:
>FYI: This question actually has nothing to do with IIS.
>
>Since you are using custom authentication and authorization, you are
>responsible for authenticating and authorizing such resource access
>yourself. IIS cannot do it for you since it's your custom scheme.
>
>How people usually do this is to place those download files in some
>directory that is NOT accessible via the web, and then use one
authenticated
>ASP page that uses ADO to stream the files from that directory (upon
>successful authentication/authorization) to the browser. Please google for
>the many past responses on this (I can't seem to find the link to code that
>implements this, at the moment).
Is it this ?
http://support.microsoft.com/defaul...q301464&SD=MSDN
Regards,
Paul Lynch
MCSE
|
|
|
|
|