473,486 Members | 1,597 Online
Bytes | Software Development & Data Engineering Community
Create Post

Home Posts Topics Members FAQ

Securing a directory

Hi everyone,

I just read an article that said that when you use a web.config file to
secure a directory, all it can do is secure the asp.net resources in that
directory - not any non .net resources.
For ecample, image files, html and asp files would not be secured.

I didnt actually realise this and it gave me a bit of a fright! Can anyone
suggest the best way to keep a directory secured in an application using
Forms Authentication.

It's not a problem for me at the moment because I havent made a site that
would be affected, but I'm not really sure how I would ensure a directory
was totally locked down should the need arise.

Thanks to anyone who can help

Kindest Regards

Simon
Nov 18 '05 #1
7 1393
Hi Simon,
You can secure a directory via web.config by using the <location> element.
As to non-ASP.NET resources---your source was correct. Your IIS maps a
number of extensions to the ASP.NET ISAPI. Each request for .aspx, .ashx,
..asmx and a number of other extensions is routed through the ASP.NET HTTP
Pipeline. The pipeline provides authentication, authorization, caching and
everything else. On the other hand, .htm, .html, .gif, .jpg, etc extensions
are not serviced by ASP.NET by default to avoid unnecessary overhead. You
*can* reassign them to the ASP.NET ISAPI. I briefly touched on this subject
in my article on custom error pages at
http://www.aspnetresources.com/artic...rrorPages.aspx (scroll down
to "What about HTML pages?").

The bottom line is you can have everything go through the ASP.NET pipeline
but this will incur is certain overhead. If you need code samples of how to
secure downloads of images, pdf's, etc let me know. I'll look up a couple.

--
Milan Negovan
www.AspNetResources.com
Essential recources for ASP.NET developers
Nov 18 '05 #2
In article <6L**********************@news4.srv.hcvlny.cv.net> , Milan
Negovan <sa***@northpole.net> writes
If you need code samples of how to secure downloads of images, pdf's,
etc let me know. I'll look up a couple.


I'd be interested in that as well (esp the pdfs)

Ta.
--
Paul
Nov 18 '05 #3
Hi Paul,

There's one I know off the top of my head:
http://msdn.microsoft.com/library/de...vingimages.asp.
This one serves images. The idea with PDFs is similar.

--
Milan Negovan
www.AspNetResources.com
Essential recources for ASP.NET developers
Nov 18 '05 #4
In article <_z**********************@news4.srv.hcvlny.cv.net> , Milan
Negovan <sa***@northpole.net> writes

There's one I know off the top of my head:
http://msdn.microsoft.com/library/de.../en-us/dndotne
t/html/servingimages.asp.
This one serves images. The idea with PDFs is similar.

Thanks, I'll have a look in the morning.
--
Paul
Nov 18 '05 #5
Hi again,

Here's one for Word files but you can tailor it to stream PDFs:
http://www.devcity.net/net/article.a...contentthieves
--
Milan Negovan
www.AspNetResources.com
Essential recources for ASP.NET developers
Nov 18 '05 #6

"Simon Harvey" <si**********@the-web-works.co.uk> wrote in message
news:eR**************@TK2MSFTNGP12.phx.gbl...
Hi everyone,

I just read an article that said that when you use a web.config file to
secure a directory, all it can do is secure the asp.net resources in that
directory - not any non .net resources.
For ecample, image files, html and asp files would not be secured.

I didnt actually realise this and it gave me a bit of a fright! Can anyone
suggest the best way to keep a directory secured in an application using
Forms Authentication.

It's not a problem for me at the moment because I havent made a site that
would be affected, but I'm not really sure how I would ensure a directory
was totally locked down should the need arise.

Thanks to anyone who can help

Kindest Regards

Simon

Hi there,

Thanks for your reply!

Those solutions seem a bit convoluted just to keep a directory secure. Do
you know of any simpler way, such as putting the sensitive information
someplace that its directly accessible via the web, and then providing
asp.net code to get the files should a user be authenticated correctly.

Is that possible or am I just being silly!

:-)

Simon
Nov 18 '05 #7
> Hi there,

Thanks for your reply!

Those solutions seem a bit convoluted just to keep a directory secure. Do
you know of any simpler way, such as putting the sensitive information
someplace that its directly accessible via the web, and then providing
asp.net code to get the files should a user be authenticated correctly.

Is that possible or am I just being silly!

:-)

Simon


Hi Simon,

You can have one page to control downloads. For example, some kind of a
download.aspx page protected with Forms Authentication. Say you collect user
info and have this page redirect to a PDF/DOC/XLS/etc. If anyone can figure
out your file naming convention (if there's one) they'll know how to bypass
the download page, so it really depends on hw far you want to go with this.
On our company web site we have a few PDFs that we "protect" this way
(http://www.custfeedback.com/resources/default.aspx). Once you click a link
to a PDF, download.aspx collects info and redirects you to the file which
triggers a "save as" dialog.

Does it make sense?

--
Milan Negovan
www.AspNetResources.com
Essential recources for ASP.NET developers
Nov 18 '05 #8
Create Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
5
2123
securing host username password
by: j-marvin | last post by:
hi- i am going through the process of password protecting a directory using ..htaccess and .htpasswd i am experiencing difficulty. so my question is without making life anymore difficult is...
PHP
6
1949
Securing the Pyton Interpreter?
by: Stephen VanDahm | last post by:
I'm looking for a way to install Python on a UNIX machine in a way such that any user on the system can use it, but only to execute scripts that are located in a certain directory. I do not have...
Python
1
2837
Securing attachments,e.g., .pdf, .doc, .xls through web.config
by: win2kcowboy | last post by:
Using VS2003, ASP.NET 1.1 Is it possible to secure files normally placed as attachments (such as word docs etc.) and often placed in attachment directories within your web application, using...
ASP / Active Server Pages
12
1797
Securing Web Database
by: Prabhat | last post by:
Hi All, I have a website setup which has MS-Access DB. The web pages are in ASP and uses ADO to connect to DB. The DB is located in the Folder "/Database". I have the Connection string setup in...
ASP / Active Server Pages
2
1941
Securing HTML pages using asp.net
by: Vaibhav Shah | last post by:
Hi, Can we secure HTML pages on a web site using asp.net? We have a requirement in which we want to display a login page before a visitor can view any HTML page on our website. WE have...
ASP.NET
2
1043
Securing a directory without IIS?
by: the friendly display name | last post by:
Is there a way to secure images, .zip files, html files and other non asp.net files through forms authentication? It looks like ASP.NET does only secure ..aspx and .ascx files. I know, there is...
ASP.NET
4
323
Securing web service
by: =?Utf-8?B?aGlsZXlq?= | last post by:
Hi, I'm developing a web service that needs to communicate with a custom application on an intranet. There is also a configuration utility which may be run on a different server machine for...
.NET Framework
4
1699
omerbutt
Problem regarding Confining a user for securing MYSQL
by: omerbutt | last post by:
hi every one I am A new Bee to php mysql and i was surfing through the net to learn about how to secure the mysql when you are working in a web environment while working with php html and javascript...
MySQL Database
1
1602
Securing credit card information, GnuPG?
by: pantone187 | last post by:
Hi everyone, I'm a pretty novice PHP programmer as all I've done so far is to do simple registration forms for events. The data that's going from the from to the database (mySQL) didn't need much...
PHP
0
6964
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
7173
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
7305
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
5427
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
1
4863
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA
0
4559
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
C# / C Sharp
0
3070
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
0
1378
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
C# / C Sharp
0
259
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us