By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
446,386 Members | 1,850 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 446,386 IT Pros & Developers. It's quick & easy.

Protecting PDFs with Forms Authentication?

P: n/a
Hi there,

I'm writing an app in which a punter buys some PDFs online. After
purchasing said PDFs, they will be given a token (bless them Guids) to
go to a download .ASPX page from which they can download the PDFs.

I'm planning to use Forms Authentication to protect the .ASPX page
which gives them the list of PDFs they can download (driven by the
token, which will be their order number or similar). The page will
also only allow 10 loads and the list of PDFs will only be available
for 24 hours to cut down on other people obtaining the PDFs.

And there's the rub: for the PDFs to be downloaded from the site, they
have to exist in the site. And if that's the case, what's to prevent
people figuring out (right-click, view properties of the hyperlink)
the URL of the PDF and going directly to the PDFs? I was hoping that
Forms Authentication would protect all files in a folder, but it
appears not to do so - I directly download a PDF file in a folder
protected by Forms Authentication, guess it only works for .aspx
files?

So, does anyone have any suggestions? I did think about creating a
separate folder for each order (i.e. each Guid), and then copying the
PDFs into that, but the files are quite large, and then a job on the
server would have to run each day to wipe old folders, etc.

Yours in hope,

Mike Kingscott
Nov 18 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
I believe all you need to do is to configure your IIS App Mappings under Home Directory/ Application Settings/ Configuration to route requests for .pdf's through aspnet_isapi.dll. Forms authentication should pick up on the requests then, and allow/deny them access accordingly.

--Michael

"Mike Kingscott" <mi**@kingscott.f9.co.uk> wrote in message news:7d*************************@posting.google.co m...
Hi there,

I'm writing an app in which a punter buys some PDFs online. After
purchasing said PDFs, they will be given a token (bless them Guids) to
go to a download .ASPX page from which they can download the PDFs.

I'm planning to use Forms Authentication to protect the .ASPX page
which gives them the list of PDFs they can download (driven by the
token, which will be their order number or similar). The page will
also only allow 10 loads and the list of PDFs will only be available
for 24 hours to cut down on other people obtaining the PDFs.

And there's the rub: for the PDFs to be downloaded from the site, they
have to exist in the site. And if that's the case, what's to prevent
people figuring out (right-click, view properties of the hyperlink)
the URL of the PDF and going directly to the PDFs? I was hoping that
Forms Authentication would protect all files in a folder, but it
appears not to do so - I directly download a PDF file in a folder
protected by Forms Authentication, guess it only works for .aspx
files?

So, does anyone have any suggestions? I did think about creating a
separate folder for each order (i.e. each Guid), and then copying the
PDFs into that, but the files are quite large, and then a job on the
server would have to run each day to wipe old folders, etc.

Yours in hope,

Mike Kingscott

Nov 18 '05 #2

P: n/a
They have not necessarily to be on the site. A web page could rread this
file from another locartion and stream its content to the browser (see the
Response.WriteFile method).

Patrice

--

"Mike Kingscott" <mi**@kingscott.f9.co.uk> a écrit dans le message de
news:7d*************************@posting.google.co m...
Hi there,

I'm writing an app in which a punter buys some PDFs online. After
purchasing said PDFs, they will be given a token (bless them Guids) to
go to a download .ASPX page from which they can download the PDFs.

I'm planning to use Forms Authentication to protect the .ASPX page
which gives them the list of PDFs they can download (driven by the
token, which will be their order number or similar). The page will
also only allow 10 loads and the list of PDFs will only be available
for 24 hours to cut down on other people obtaining the PDFs.

And there's the rub: for the PDFs to be downloaded from the site, they
have to exist in the site. And if that's the case, what's to prevent
people figuring out (right-click, view properties of the hyperlink)
the URL of the PDF and going directly to the PDFs? I was hoping that
Forms Authentication would protect all files in a folder, but it
appears not to do so - I directly download a PDF file in a folder
protected by Forms Authentication, guess it only works for .aspx
files?

So, does anyone have any suggestions? I did think about creating a
separate folder for each order (i.e. each Guid), and then copying the
PDFs into that, but the files are quite large, and then a job on the
server would have to run each day to wipe old folders, etc.

Yours in hope,

Mike Kingscott

Nov 18 '05 #3

P: n/a
Guys, thanks very much for the speedy response. At the moment, I've
gone for protecting the file via the aspnet_isapi.dll method, and it
works just dandy. As for using the Repsonse.WriteFile method, I may
have to try that as well, just for extra security, but I'm wondering
if it would work for a right-click Save As... command? Ah well,
something to play with when I have time ;-)

Thanks again,

Mike Kingscott
Nov 18 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.