Preventing Users from Downloading file from website directly, how? - asp.net

I need very advanced and effective method of Preventing Users from Downloading file from website directly in asp.net.
Method should -
limit downloads,
limit time,
limit requests,
etc.
but should be downloadable by active login users

Delete the file from the server.
Any user trying to download it will not longer succeed.

You can put your files into a directory and configure that directory as not accessible by public users.

Store the files in a folder which is not accessible via IIS (i.e., not underneath your web application's root)
Create an .ashx generic handler which takes a file identifier (either filename, or ID of some sort) as a QueryString parameter.
In that .ashx, perform whatever checks you want to perform: is the user logged in? have they downloaded too many files? etc.
Then, if you decide that they should be allowed to download it, set the response headers appropriately and write the file out to Response.OutputStream

Related

How to retrieve asp.net media / resources based on logged in user?

I have an asp.net web api project using token based authentication. my app uploaded and retrieve images and I keep file path in table_myfiles along with the uploaded user ID.
I would like the user to access only the files he have uploaded, which I can identify from the table.
How to protect my resources to restrict access to only to the user based on table_myfile ? And not to anyone without logging in or direct link / path ?
I have been searching for any possible solution for a week now , I think I should implement a middleware to manage access. But I couldn’t find any resources on how to implement the same.
Currently my api shows all resources just by directly accessing the file path/link.
The simple apporach is to remove the vitural folder, or that folders from the web site folders. That way, no simple URL exists for any of the files.
So, for a user to get/see/use/download a file? You present say a listview or some kind of grid (or repeater) that displays and lists out the files.
Then, when they want to download or view a file?
You use response.write and stream the file down to the client side.
Remember, on the server, code behind uses 100% clean and correct windows file paths. For any web based URL, then that folder must be in a valid path of the web site. When they type in a valid URL, it eventually gets translated to that given folder in the site (or a external folder provided when you create a mapped "virtual" folder in IIS. However, if you don't provide that virtual folder, or the folder is NOT in the web site file/folder sets, then no valid URL's exist. However, that folder can be directly used and hit with code behind - any valid server path/folder name is allowed in code behind.
Because when streaming the file, you need path name, file name, AND ALSO the "mine" type. Thankfully, .net 4.5 or later has this ability.
so, from a database (table) I display the file names like this:
But, if you click on the preview image, that is a image button.
The code behind simply gets/grabs the file name from the database.
I then download (stream) the file to the browser side like this:
if (File.Exists(strInternalFullPath))
{
string strConType = MimeMapping.GetMimeMapping(strInternalFullPath);
binFile = File.ReadAllBytes(strInternalFullPath);
Response.ContentType = strConType;
Response.AppendHeader("Content-Disposition", "attachment; filename=" + Path.GetFileName(strWebUrl));
Response.BinaryWrite(binFile);
Response.End();
}
else
MyToast2(this, btnLink.ClientID.ToString, "File Not found", "We no longer have this file avaiable.");
so, this buttion behaves 100% like a link, but there are no existing URL's or path name that points to the files folder from a web based URL.
Remember:
Web based URLs - they auto map from the web site URL to a existing folder.
You can use server.MapPath("some url to file") to "translate" this to a internal file name.
Code based files:
In your .net code (code behind) ANY file name is a standard plane, jane file name that points to a file on the server.
so, once we have that file name from the database, you can steam the file as if the user clicked on a link. But you never have to expose the actual file name, or file path. And no such valid URL's exist on the web site, since you do NOT have that files folder in the web site folder hierarchy - but placed that folder outside of the web site.
As long as that folder is outside of the web folders, and as long as you don't setup a virtual folder that points to that folder outside the web folders?
Then code behind can STILL get/grab/see/use any file on the server. that code uses a full valid windows file name, - but the web site will have no mapping to such a folder - hence no valid URL's will exist or can be typed in.

how to protect or authenticate public data like videos and document files on server?

I need to hide the direct link of the files in my site and show download delay of 30 seconds for unRegistered users, Like mediafire and rapidshare do. Is there any way to hide or obfuscate the link of the files doc, pdf,ppt, images and Videos (Most Important), on server (asp).
For start, you place all that files on a protected directory (like the App_Data) and then you use a handler to send them to the registered users.
Inside the handler you can make your checks, if the user is register, if he comes from your site, if the link have time out etc.
For how to make this handler, here is some tutorials, but you can find more if you search.
Simple File Download Protection with ASP.NET
ASP.NET File Download on MSDN
Also you may interesting for this questions/answers:
What is the best way to download file from server
Error handling when downloading file from ASP.NET Web Handler (.ashx)

Force file download in a browser using ASP.Net MVC when the file is located on a different server without downloading it on my server first

Here's what I would like to accomplish:
I have a file stored in Windows Azure Blob Storage (or for that matter any file which is not on my web server but accessible via a URL).
I want to force download a file without actually downloading the file on my web server first i.e. browser should automatically fetch the file from this external URL and prompts the user to download it.
Possible Solutions Explored:
Here's what I have explored so far (and why they won't work):
Using something like FileContentResult as described here Returning a file to View/Download in ASP.NET MVC to download the file. This solution would require me to fetch the contents on my server and then stream from my server to the browser. For this reason this solution won't work.
Using HTML 5 download attribute: HTML 5 download attribute would have worked perfectly fine however the problem is that while it is really a very neat solution, it is not supported in all browsers.
Changing the file's content type: Another thing I could do (at least for the files that I own) to change the content type property of the file to something that the browser wouldn't understand and thus would be forced to download the file. This might work in some browsers however not in all as IE is smart enough to go beyond the content type and sees the file's content to determine the content type. Furthermore if I don't own the files, then I won't have access to changing the content type of the file.
Simply put, in my controller action I should be able to specify the URL of the file and somehow browser should force download the file.
Is this something which can be accomplished? If yes, then any ideas how I could accomplish this?
Simply put, in my controller action I should be able to specify the URL of the file and somehow browser should force download the file [without exposing the URL of the file to the client].
You can't. If the final URL is to remain hidden, your server must serve the data, so your server must download the file from the URL.
Your client can't download a file it can't get the URL to.
You can create file transfer WCF service (REST) which will stream your content from blob storage or from other sources through your file managers to client browser directly by URL.
https://{service}/FileTransfer/DownloadFile/{id, synonym, filename etc}
Blob path won't be exposed, web application will be free from file transfer issues.

Securing Individual Files in ASP.NET

I have a scenario where a user will have access to a one-time-url.
When the user clicks on the URL, specific files will be available to that user.
I have many files on the site but would only like certain files to be accessible by that user.
I have though about generating an authenticated cookie and using forms based auth and applying permissions to a certain folder, but I need authorization on indiviual files. and the files will constintly be changing.
What would be the best way to give a user only access to specific files? (I won't display the other files, but I still do not want other files available if they are typed in the URL)
I would create an .ashx (handler file) and have that serve the files to the user (load into memory and then write the contents out by pushing the file to the content stream). That way the end user never has permissions to the actual files on the system but can still access them. Your code can then control when and how long each file is available to a user.
I would provide an abstraction around the actual file retrieval. That way the user never sees file name. Something like www.example.com/File.aspx?id=SOMERANDOMGUID
That RANDOMGUID could reference a file in the back end.
If you have lots of disk space, one way to accomplish this is to copy the files to a randomly-generated folder, so that the URL to a user's files is unique for each user.
I think it would be easier if your files are associated with an ID and the path is kept in the database. This way you can pull the files using the ID.

ASP.NET Web.config question

The server is IIS7.
Is there a way to disable web.config files in subfolders?
I am asking because, I have a folder on the web server that is for uploads. When someone uploads files, a new folder is created for the user's session and the files they upload go in the folder.
So the path to uploads would be like this:
~/uploads/3F2504E0-4F89-11D3-9A0C-0305E82C3301/somefile.txt
In the ~/uploads/ directory there is a web.config file that removes all http handlers except the static file handler and adds a wildcard mime type. So every file that a user uploads will only ever be served statically.
If a user uploads a web.config file, I want to disallow any of the settings in that file from being applied.
How can I do this?
EDIT
Could I just make the upload folder an application that is a member of an application pool configured to run in Classic mode instead of Integrated Pipeline mode? That way it wouldn't even care about a web.config file.
EDIT 2
Is there another type of webserver I could install for serving all files statically? I could just access the files through a different port. Is there some software that I can be sure wont run any scripts and is safe.
I simply wouldn't allow them to upload a file with that name. In fact, I normally wouldn't trust any filename that the user gave me... makes a great candidate for an injection-style attack.
Ok I have a different angle on this...
What if your uploads folder was not part of the website and instead part of the file system? This way ASP.NET is not processing requests to the folder and thus web.config wouldn't be loaded by the ASP.NET runtime.
You'd have to give your app pool's account read/write access to the file system where these files are stored, but I think it better fits what you're trying to accomplish.
Obviously it could be done in code.
If the folders always exist, you could pre-populate with a web.config with no (significant) content and an ACL to ensure it cannot be overwritten, but looking at the path it I suspect you create the upload folders dynamically which means this would not work.
I don't believe there is a way to tell IIS not to use a web.config (but I could be wrong). Personally, I would add a check to my save code and rename the file.
Why not just check the filename first to prevent the user from uploading a file named web.config? You're probably going to want to check for other things too before allowing the upload - files that are too big, etc.

Resources