How to Protect Flash from getting download - asp.net

I am developing a elearning site and we have developed our courses in Flash. I want to know how we can prevent our courses from getting download from our site.Technology used for developing website is ASP.NET with C#.

Assuming you are developing an e-learning site with a user login system, you can only give access to the courses to authenticated users that have rights to specific courses. If there is an unauthenticated / public request for a course file (swf, html, etc...) then refuse to serve that file to the client.
I'm sure there are other ways to accomplish this, but one way is to handle those file requests in your Global.asax, the general idea would involve using "Begin_Request", something like:
void Begin_Request(object sender, EventArgs e)
{
if (Request.FilePath.Contains("yourprotectedpathname"))
{
if (check session if user is not logged in or does not have access)
{
Server.Transfer("404.aspx");
return;
}
}
}
}
You would want to store what users have rights to what courses in a database of course, and take advantage of Sessions
As the others have mentioned, anything the client can see can be downloaded. This method would simply limit the clients that have access to download your courses.

As others have mentioned users need to be able to download the content in order to view it. If your Flash files are standalone a user could pull the SWF files from their cache and run them locally or event post the files to another server to access them online.
If the content in the Flash files is read from a database via C# script that would make it much more difficult for users to replicate the structure.
I don't really recommend this method but you could hard-code the SWF files to only load from your domain, for example (AS3):
var myURL:String = "http://www.mydomain.com/";
//Check to see if the SWF is being loaded from mydomain
if (loaderInfo.url.slice(0, myURL.length) != myURL) {
//If it isn't being loaded from mydomain, remove all displayobjects from stage
while (numChildren > 0) {
removeChildAt(0);
}
}
This ActionScript would remove all items from the stage and just show a blank page if anyone tried to load the SWF locally or from another domain. I don't recommend this since you are hard-coding the domain into your Flash files. If you move the files to another domain the code would have to be updated. You would also need to account for variations in the URL (e.g. https, mydomain.com, www.mydomain.com etc.)

Related

how to protect or authenticate public data like videos and document files on server?

I need to hide the direct link of the files in my site and show download delay of 30 seconds for unRegistered users, Like mediafire and rapidshare do. Is there any way to hide or obfuscate the link of the files doc, pdf,ppt, images and Videos (Most Important), on server (asp).
For start, you place all that files on a protected directory (like the App_Data) and then you use a handler to send them to the registered users.
Inside the handler you can make your checks, if the user is register, if he comes from your site, if the link have time out etc.
For how to make this handler, here is some tutorials, but you can find more if you search.
Simple File Download Protection with ASP.NET
ASP.NET File Download on MSDN
Also you may interesting for this questions/answers:
What is the best way to download file from server
Error handling when downloading file from ASP.NET Web Handler (.ashx)

In App downloadable content

I'm trying implement a kind of private 'cloud store' for may web application. Let me explain, I have 'reports' (a file containing queries etc) which can be installed on a client pc. Normally, we e-mail them the files to end users whenever we create new ones and they manually import them into the app (using standard file upload in any browser).
Now we want to take it a step further and create a page which will pull a list of files from our site, eg. www.me.com/reports. The app will go through the list, compare to those installed and display new ones, updated ones etc. An end user could then just click on a button and the files are downloaded on the server and installed.
I'm trying to avoid writing any web server code, I'd prefer to just create a windows authenticated virtual directory that allows for file listing (or something close to this). I'm thinking maybe some javascript that will silently download the file to the client, then upload it back to the intranet iis server. All done without user interaction. Is this even possible?
I'd like to get anyone's thoughts on how something like this could be implemented, and what pitfalls I should watch out for.
Thanks
JK

Preventing Users from Downloading file from website directly, how?

I need very advanced and effective method of Preventing Users from Downloading file from website directly in asp.net.
Method should -
limit downloads,
limit time,
limit requests,
etc.
but should be downloadable by active login users
Delete the file from the server.
Any user trying to download it will not longer succeed.
You can put your files into a directory and configure that directory as not accessible by public users.
Store the files in a folder which is not accessible via IIS (i.e., not underneath your web application's root)
Create an .ashx generic handler which takes a file identifier (either filename, or ID of some sort) as a QueryString parameter.
In that .ashx, perform whatever checks you want to perform: is the user logged in? have they downloaded too many files? etc.
Then, if you decide that they should be allowed to download it, set the response headers appropriately and write the file out to Response.OutputStream

Flash uploader and ASP.net MVC

I have a flash upload component I want to use to upload multiple files. I'm using it in a MVC app and what I want to happen is that the user picks the files they want to upload, it uploads them and then displays a page showing all the files they have uploaded so they can add a description and select where to save them, and then save the files.
At the moment when files are uploaded the flash component calls a controller to process the files, this bit works fine, I can get the uploaded files and do what I like with them. The problem is is that I cannot just redirect to a View once the controllers done its work, because its the flash component calling the controller, not the page and so nothing happens when you try and do that.
I had attempted to save the files in the session and then forward the user on completion of the upload using some code in the flash actionscript, this however does not work, the session always turns up null. I had also considered actually saving the files to a temp location and then on the displaying page just listing all files in the temp location, but this is then going to involve saving the files twice, once to the temp directory and then to the actual place the user wants to put them, which I assume will be slow.
Any thoughts on the best way to do this?
Is your site using cookie based authentication? If so then the flash uploader needs to include the authentication cookie when uploading otherwise the upload will be seen as coming from a new user - this would explain your null values in the session state. If you are unable to get flash to post the cookie then you'll have to identify the user within the upload URL.
You should keep session state to a minimum or even better not use is at all so storing large amounts of data such as images in it is a bad idea.
With our applications we save all uploaded files to the database and then give them a unique Guid that is then used to retrieved/display them later. Within the database images could be associated with a user and in your case be marked as just uploaded so that when you redirect the user to the additional information page you know which images to display.
but this is then going to involve
saving the files twice, once to the
temp directory and then to the actual
place the user wants to put them
In relation to where the files are saved on the server you should not be allowing the user to determine where the files are saved.

ASP.NET Image Upload Architecture

What would be the best method to implement the following scenario:
The web site calls for a image gallery that has both private and public images to be stored. I've heard that you can either store them in a file hierarchy or a database. In a file hierarchy setup how would prevent direct access to the image. In a database setup access to the images would only be possible via the web page view. What would be a effective solution to pursue?
[Edit] Thanks all for the responses. I decided that the database route is the best option for this application since I do not have direct access to the server. Confined to a webroot folder. All the responses were most appreciated.
Having used both methods I'd say go with the database. If you store them on the filestore and they need protecting then you'd have to store them outside the web-root and then use a handler (like John mentions) to retrieve them, anyway. It's as easy to write a handler to stream them direct from database and you get a few advantages:
With database you don't need to worry about filestore permissions or generating unique filenames or folder hierarchies etc.
With database you can easily apply permissions and protection directly - no trying to work out who can view what based on paths etc.
With a database you can store the image and metadata all together - when you delete the metadata you delete the image - no possibility of orphaned records where you delete from database but not from filestore
Easier to back-up database and images and then restore
The disadvantage is that of performance, but you can use caching etc. to help with that. You can also use FILESTREAM storeage in SQL Server 2008 (and 05?) which means you get filesystem performance but via the DB:
"FILESTREAM integrates the SQL Server
Database Engine with an NTFS file
system by storing varbinary(max)
binary large object (BLOB) data as
files on the file system. Transact-SQL
statements can insert, update, query,
search, and back up FILESTREAM data.
Win32 file system interfaces provide
streaming access to the data.
FILESTREAM uses the NT system cache
for caching file data. This helps
reduce any effect that FILESTREAM data
might have on Database Engine
performance. The SQL Server buffer
pool is not used; therefore, this
memory is available for query
processing."
Using file hierarchy, you can put the files out of the website file folder, for example, suppose the web folder is c:/inetpub/wwwroot/somesite, put the file under c:/images/, so that the web users won't be able to access the image files. but you cannot use the direct link in your website neither, you need to create some procedure to read the file, return the stream.
personally I think it's better to put the file in the database, still create some procedure to retrieve the binary image data and return to wherever it needed.
In reality both scenarios are very similar, so it's up to you... Databases weren't designed to serve files, but if the size isn't really a concern for you, I don't see a problem with doing it.
To answer your question about direct access, you'd setup the file images the same way you would for the database: You'd use some sort of page (probably a .ashx handler) that serves the images, allowing you a layer of logic between the user and image to determine whether or not they should have access to it. The actual directory the images are located in would then need to either a) not be part of the directory structure in IIS or b) if it is part of IIS, only allow windows authenticated access, and only allow the account the application process is running under access to the directory.
If you're using IIS7, since .net jumps in the pipeline early I believe you can protect jpg files as well, just by using a role manager and applying roles to file system folders. If you're using IIS6, I've done something similar to the answer by John, where I store the actual file outside of the wwwroot, and use a handler to decide if the user has the correct credentials to view the image.
I would avoid the database unless you have a strong reason to do this - and I don't think a photo gallery is one of them.
Neither. Amazon S3 offers a very simple API for accepting uploads. You can use SimpleDB or your SQL database to track the URLs and permissions. Set the entire S3 bucket to private, and authenticate to it using your AWS key on the ASP.NET server.
Very little code is required to upload to S3, and very little more would be required to perform bookeeping in SQL.
Once they're in S3, grab the image resizer library and the S3 Reader plugin and you can have your entire system running in under an hour. And - it will scale properly. No disk or database space limits. Ever.
You can implement authorization using the AuthorizeImage event of the Image Resizer library. Just throw an AccessDeniedException if access isn't allowed for the current user.
If you want to tune performance a bit mare, add both the DiskCache and CloudFront plugins. CloudFront can edge-cache the public images (inexpensively), and DiskCache will handle the private images, serving them at static-file speeds.

Resources