473,657 Members | 2,458 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

How to secure docs other than .aspx files.

I have a folder within my web application that holds a bunch of word
documents. I have security setup to use forms authentication. If I try and
access a .aspx page that is not listed in my web.config file to allow
anonymous users, it will redirect appropriately. However, if I try and
access one of the word documents, it can be accessed through a web browser
even if the user is not logged in. Is this intended to be this way? Why are
these documents able to be accessed within the web application, even if a
user is not logged in?

Here's how I setup the security:
<authenticati on mode="Forms">
<forms loginUrl="Defau ltLogin.aspx" />
</authentication>

<authorizatio n>
<deny users="?" />
</authorization>

<location path="DefaultLo gin.aspx">
<system.web>
<authorizatio n>
<allow users="?" />
</authorization>
</system.web>
</location>
Nov 19 '05 #1
2 1235
> Is this intended to be this way?

For the most part, yea.
Why are
these documents able to be accessed within the web application, even if a
user is not logged in?


They're not really part of the application. They just happen to be in the
same directory as your application.

One solution is to move the files outside of your root web folder and then
stream the files to the browser via a page inside your application.

-Darrel
Nov 19 '05 #2
I'd suggest you move these files into a private folder (or database) with
security set appropriately.
Then you can retrieve the files for them once you've authenticated them.

Here's more info:
http://SteveOrr.net/articles/EasyUploads.aspx
http://msdn.microsoft.com/library/de...FileTopic3.asp

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://SteveOrr.net
"Craig" <Cr***@discussi ons.microsoft.c om> wrote in message
news:61******** *************** ***********@mic rosoft.com...
I have a folder within my web application that holds a bunch of word
documents. I have security setup to use forms authentication. If I try
and
access a .aspx page that is not listed in my web.config file to allow
anonymous users, it will redirect appropriately. However, if I try and
access one of the word documents, it can be accessed through a web browser
even if the user is not logged in. Is this intended to be this way? Why
are
these documents able to be accessed within the web application, even if a
user is not logged in?

Here's how I setup the security:
<authenticati on mode="Forms">
<forms loginUrl="Defau ltLogin.aspx" />
</authentication>

<authorizatio n>
<deny users="?" />
</authorization>

<location path="DefaultLo gin.aspx">
<system.web>
<authorizatio n>
<allow users="?" />
</authorization>
</system.web>
</location>

Nov 19 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
3
5447
more secure crypt() function
by: Marco Herrn | last post by:
I want to use a crypt function to store crypted passwords. These will be used to verify mail-user access. Now the crypt() function from the module crypt is only significant for the first 8 characters. But I need more significant characters. I found the md5 and sha modules. But they work different from the crypt module. But it doesn't seem to be compatible. I need the way crypt works with a salt to verify the password. So my real...
Python
9
3731
how to secure Excel file on webserver?
by: Rich | last post by:
Hi, I have a bunch of Excel reports that I would like to display on my company's intranet. The reports contain priviledged information, however. My plan was to have a page with a dropdown box so someone could pick the report they need to view. This page can be secured with a session object, etc. But what is to keep an unauthorized person from accessing a file by typing
ASP / Active Server Pages
6
4819
Secure and Unsecure Web Directories using Forms Authentication
by: Billy Jacobs | last post by:
I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms Authentication set up and it worked just fine. Then I realized that I needed to have some pages unsecure. I then created 2 directories. One named Secure and the other named Public. I placed my web.config file in my
.NET Framework
2
1388
Secure some pages and not other
by: Shimon Sim | last post by:
I am creating application that is mostly is used by registered user. I am using Form security to let user in. I also need to create registration for users. This of cause has to be accessible to everyone. Can I do everything in one ASP.NET application or I have to create two applications for each task? Thanks, Shimon.
ASP.NET
7
1983
Non secure items on SSL in asp.net
by: Brian Henry | last post by:
I created a project and it looks like everything is loading under HTTPS on all the pages perfectly except one page that it loads saying that the page contains both secure and non secure items... how would i check to see which items are loading that are insecure on IIS? the page is writen in ASP.NET, I know exactly which control is doing it (a custom writen one) but i cant seem to figure out what in the control is doing it... is there logs...
ASP.NET
6
1244
How secure is MSAccess?
by: VB Programmer | last post by:
I am creating a new ASPX web app. I would like to use MS Access, but am concerned about security. There will be alot of secure info in this db (credit cards, passwords, client info, etc...) Is Access secure enough or should I just go with MS SQL Server? I like the portability of the MDB. Also, any good links/suggestions on how to secure your db interactions (ie ConnectionString in web.config, passwords/credit card info in tables,...
ASP.NET
5
2717
uploading several docs at once
by: Chris | last post by:
I have a meetings section I'm developing on our intranet. Using PHP/MySQL. Meeting info and Meeting docs reside on 2 related tables in the db. Users may want to upload anywhere from 1 to 10 or more documents to share/use during a meeting presentation. What would be the most efficient way to approach this? This is the logic I'm currently considering: Page 1: Meeting Information input with link to a document upload page (this page...
PHP
14
4910
Secure login tutorial
by: knal | last post by:
Hi there, I'm looking for a secure login script for a sort-of-community site... (PHP, MySQL, sessions, or maybe something else ... ) I know there are a lot of scripts out there, but none of them really seem secure, or have other kind of flaws (like IP based login etc.). Why i'm asking here, is because there's experience out there, and i hope experience can tell me what my best shot is. I'm aware that i will very probably have to do...
PHP
6
1632
webservices - more secure or just more helpful
by: =?Utf-8?B?Q3JhaWc=?= | last post by:
If I have an application that I send out to users, and the application interacts with the database (behind the scenes, no direct sql creation by the users)....do webservices make the app more secure? I always thought of webservices as just a good way to allow users to have an API for them to interact with the database, but are webservices useful if the user never really knows that they are there?
.NET Framework
0
8324
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
8842
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
8740
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
0
7353
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
0
5642
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
4173
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
4330
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
2743
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
1970
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us