ASP.NET app files security

ASP.NET app files security

Post by Vmk » Sun, 08 Jan 2006 06:23:03


I'm working on a ASP.NET app and as part of the app I'm uploading some
pictures to the web server and these pictures can then be accessed by
authorized users by clicking on a link.
All the aspx files a protected by a custom security solution that checks if
an authorized user request the aspx page. But nothing prevents somebody to
just type in a browser the URL of the picture and voila, the picture is
displayed. Does ASP.NET or IIS offer a solution that does not rely on cookies
for this kind of problem? Or how something like this can be implemented?

Thank you
 
 
 

ASP.NET app files security

Post by Nicole Cal » Sun, 08 Jan 2006 23:17:39

If you map your image file extension(s) to be handled by aspnet_isapi.dll in
the IIS properties for your application, you could then map them to the
StaticFileHandler in your web.config, which will cause ASP.NET to apply your
authorization settings to the files while allowing them to display as-is if
authorization passes. For details on the technique, see
http://www.yqcomputer.com/ (although you'll
want to use the StaticFileHandler rather than the HttpForbiddenHandler).

 
 
 

ASP.NET app files security

Post by Vmk » Mon, 09 Jan 2006 00:55:03

Thank you for your reply.
In this particular app I'm not using ASP.NET authorization, but rather a
custom developed one. Therefore I suppose I will have to create my own
handler and map to it my image file extesions, rather then using
StaticFileHandler. Is that correct?
Merci.
 
 
 

ASP.NET app files security

Post by Nicole Cal » Tue, 10 Jan 2006 22:09:06

Yup. Another approach would be to move these files out of your web folder
hierarchy and deliver their content only via a page or handler that
pre-screens the user identity. However, this would probably represent about
the same amount of development work for you while potentially increasing the
administrative burden, so creating a custom handler similar to
StaticFileHandler would probably be the simpler choice overall...