I have a shared hosting account in which I upload my ASP.NET application. I let the user upload .doc files inside a folder, the problem is I only want logged users to be able to download those files, so I wrote a dispatcher, you give it the id and it reads the file and writes it to the browser, hiding the file location, nevertheless I want to protect the directory where all the files are, so you can only download files using the dispatcher, I tried marking it as a password protected directory, but now ASP.NET can't get access either.
You need to restrict the NTFS permissions on that folder to only allow the user your applicaiton is running as. This might be difficult in a shared host environment...
The ideal solution would be to move the folder outside of the site root but I guess as you are using shared hosting this may not be possible.
One other solution would be to move docs to the App_Data folder which is protected by .NET (see here What is the App_Data folder used for in Visual Studio?)
Related
My ASP.NET application needs to write some temporary files. What folder should I use?
I tried Path.GetTempPath() which maps to C:\Windows\Temp but surprisingly not all users have access to that path. IIS_IUSRS only has read access.
This question is for a general purpose library that should not assume much about the user it runs under. It should not required NTFS permissions.
What is a safe temp path to use under ASP.NET that will always be available for writing?
What is a safe temp path to use under ASP.NET that will always be
available for writing?
Safe temp folder is App_Data folder inside web application.
ASP.Net Application should not have problem reading and writing to the folder.
It also won't serve files inside that folder to public.
That's what most applications do when people upload avatars or temporary files that you need to store. Just be careful, if a user knows the directory path the file is located in and the file name they are uploading. They can upload an aspx file and it will run under your application identity and that can compromise you. So put some restrictions on file types that can be uploaded.
Is it possible to rename/move or delete files from a web application (ASP.Net MVC) that are on a server folder just like how you would do it locally? I would want the user to be able to upload say 30 files (from a scanner auto-feed) into a temporary folder on the server (cannot save it locally due to data security) and then allow the user to be able to rename /move before uploading them onto Azure blob storage.
I saw few examples - jquery file tree seemed good but not sure if it allows rename and moving. Please suggest solutions for working with the server folder. I intend to delete the server folder after I am done transferring files to Azure. TIA.
Yes, you can do this by giving the USER that is running the ASP.Net application (defaults to IUSR) permissions to write to that folder.
Be very careful though, as you're potentially opening your website for abuse when doing this.
See: https://www.iis.net/learn/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis for how IIS users operate.
Is it good practice to store user's files(images,documents etc) in web config folder ? Is it gonna affect my website anyhow ? Because i do know that it is unacceptable to store dynamic/user's files in the BIN folder. So now i'm trying to establish a folder path to store my dynamic files. The other reason is that my service provider said i'm only allowed to store files in the folder where i store my website because i'm hosting my website on a their shared server.
It's safer to store uploaded files either:
under the App_Data folder
or, outside the website's root folder.
This ensures users can't navigate to the uploaded files.
In your case, your service provider's restrictions mean you should store them under App_Data.
A 'web config folder' doesn't really exist. The web.config is a file that can exist at any level in your website directory structure.
To answer your question: simply create a folder anywhere under your website and store the files there. You can create different directories for each user if necessary. This should not adversely affect your website in any way. But... if you expect hundreds of thousands of files, you may need another solution.
I'm uploading files into a folder. It works as it should when I run the solution locally, but when I've uploaded the site to the web server using "copy website", - I can no longer upload files to the folder.
Can I change the permissions somehow?
It depends is the user that is trying to upload the file(s) into that directory on the server have permissions to that folder on the server, eg: read/write, ect... Also is the user that will be using that program on the server is running the application as themselves or as the IIS User account, or some other dedicated account?
Update:
Since you are doing it through the VPN, try terminal serving to that server and if you have personally permissions to make this change as in give permissions then do it yourself or ask the admins to do it for you.
Depending on the folder you are uploading your files into and the account you have configured the web server to execute your application under, there might be different ways to achieve that. But basically you should rant write access to this account to the given folder you are saving the uploaded files into. But if you use some of the special ASP.NET folders such as App_Data for example to store the uploaded files, the account should already have write permission to that folder. And if you have uploaded your site to some hosting company that don't provide you the possibility to change permissions on the different folders that are part of your website you might need to contact the support so that they perform he necessary modifications that you need.
I have a web app where the administrator can create news, pdf documents and other stuff in his cms panel.
The problem is when the admin delete a new or something else the app deletes all the files related to that new, I mean the images, pdfs and other documents. Tha main problem is those files are stored in folders under the "news" folder and when the app deletes them the session is lost.
How can I do to have a file system without losing the session?
I'd like that file system within the app folder...
Impossible for us to store those folders outside the app and we don't want to use StateServer because of the performanne....
Any other solution?
Thanks
Your session is lost becasue IIS recompiles. The easiest solution in my opinion is to store your files outside the wwwroot.
Discussed on SO: ASP.NET restarts when a folder is created, renamed or deleted
[Update]
Example:
Let's stay your app is in c:\inetpub\wwwoot\virtualdir1
You make a work directory:
c:\inetpub\inetwork
Give the proper rights (read/write/etc) to the Asp.net user of your app pool and it should all work like a charm.
More info on setting the rights: What are all the user accounts for IIS/ASP.NET and how do they differ?
Store the path to the workdirectory in your web.config (you no not want to hardcode it)
Having those files within the app folder is a poor desgin. The session is probably lost as you are causing IIS to recycle due to the file system changes. It is much safer to not have your web application able to write to its own folder, doing so is a security risk.
Separate your document folder and web site folder. And give right permission your document folder.