Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / January 2006

Tip: Looking for answers? Try searching our database.

ASP.NET app files security

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Vi - 06 Jan 2006 21:23 GMT
I'm working on a ASP.NET app and as part of the app I'm uploading some
pictures to the web server and these pictures can then be accessed by
authorized users by clicking on a link.
All the aspx files a protected by a custom security solution that checks if
an authorized user request the aspx page. But nothing prevents somebody to
just type in a browser the URL of the picture and voila, the picture is
displayed. Does ASP.NET or IIS offer a solution that does not rely on cookies
for this kind of problem? Or how something like this can be implemented?

Thank you
Reply to this Message
Nicole Calinoiu - 07 Jan 2006 14:17 GMT
If you map your image file extension(s) to be handled by aspnet_isapi.dll in
the IIS properties for your application, you could then map them to the
StaticFileHandler in your web.config, which will cause ASP.NET to apply your
authorization settings to the files while allowing them to display as-is if
authorization passes.  For details on the technique, see
http://aspnet.4guysfromrolla.com/articles/020404-1.aspx (although you'll
want to use the StaticFileHandler rather than the HttpForbiddenHandler).

> I'm working on a ASP.NET app and as part of the app I'm uploading some
> pictures to the web server and these pictures can then be accessed by
[quoted text clipped - 8 lines]
>
> Thank you
Reply to this Message
Vi - 07 Jan 2006 15:55 GMT
Thank you for your reply.
In this particular app I'm not using ASP.NET authorization, but rather a
custom developed one. Therefore I suppose I will have to create my own
handler and map to it my image file extesions, rather then using
StaticFileHandler. Is that correct?
Merci.

> If you map your image file extension(s) to be handled by aspnet_isapi.dll in
> the IIS properties for your application, you could then map them to the
[quoted text clipped - 16 lines]
> >
> > Thank you
Reply to this Message
Nicole Calinoiu - 09 Jan 2006 13:09 GMT
Yup.  Another approach would be to move these files out of your web folder
hierarchy and deliver their content only via a page or handler that
pre-screens the user identity.  However, this would probably represent about
the same amount of development work for you while potentially increasing the
administrative burden, so creating a custom handler similar to
StaticFileHandler would probably be the simpler choice overall...

> Thank you for your reply.
> In this particular app I'm not using ASP.NET authorization, but rather a
[quoted text clipped - 29 lines]
>> >
>> > Thank you
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.