473,320 Members | 2,180 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Using forms authentication, but you can get at a file if you know the name of it.

I have a website where there is a login screen on it. All works fine. As
part of the website I have links to some pdfs, htmls, jpgs, and assorted
other stuff. I have found if you know the name of the file (or login, and
copy the link) you can get at the file without logging in.

I verified this by pulling up one of my pfds copying the url, closing down
all of IE and then starting IE and putting in the url.

Lo and hehold - the file is there.

Is there anyway to stop this behavior? What I really want is a way to limit
the people who get to my web site by using a userid/password stored in a
database and then and only then can they get at my documents. Currently we
use NT security with one userid/password which isn't a good solution. We
have people coming and going quickly so we need a better way to do this. And
putting the users in NT just seems a pain.

Thanks for you help.

J.
Apr 30 '07 #1
4 1327
Have you annotated your classes and/or methods with attributes that issue
security challenges, ensuring that users are logged in, and members of the
correct role before accessing the class/method? Something like (from msdn):

[PrincipalPermissionAttribute(SecurityAction.Demand , Name="Bob",
Role="Supervisor")]
or (from one of our applications (slightly altered to protect the
innocent)[PrincipalPermissionAttribute(SecurityAction.Demand ,
Authenticated=True, Role="Supervisor")]Or you can do the same thing
programmatically using things like IsInRole().You catch any security
exceptions that get thrown as a result of these in a convenient place, like
Global.asax

HTH
Peter

"Mufasa" <jb@nowhere.comwrote in message
news:uM**************@TK2MSFTNGP05.phx.gbl...
>I have a website where there is a login screen on it. All works fine. As
part of the website I have links to some pdfs, htmls, jpgs, and assorted
other stuff. I have found if you know the name of the file (or login, and
copy the link) you can get at the file without logging in.

I verified this by pulling up one of my pfds copying the url, closing down
all of IE and then starting IE and putting in the url.

Lo and hehold - the file is there.

Is there anyway to stop this behavior? What I really want is a way to
limit the people who get to my web site by using a userid/password stored
in a database and then and only then can they get at my documents.
Currently we use NT security with one userid/password which isn't a good
solution. We have people coming and going quickly so we need a better way
to do this. And putting the users in NT just seems a pain.

Thanks for you help.

J.


Apr 30 '07 #2
Mufasa,
Since pdfs and other files do not pass through the ASP.NET processing
pipeline forms authentication will not protect these types of files.
However, there are several ways to prevent IIS from serving up files to
unauthenticated users. One way is to use the HttpForbiddenHandler. See the
following link:

http://www.leastprivilege.com/Protec...hASPNET20.aspx
--
Page Brooks
www.explosivedog.com
"Mufasa" <jb@nowhere.comwrote in message
news:uM**************@TK2MSFTNGP05.phx.gbl...
>I have a website where there is a login screen on it. All works fine. As
part of the website I have links to some pdfs, htmls, jpgs, and assorted
other stuff. I have found if you know the name of the file (or login, and
copy the link) you can get at the file without logging in.

I verified this by pulling up one of my pfds copying the url, closing down
all of IE and then starting IE and putting in the url.

Lo and hehold - the file is there.

Is there anyway to stop this behavior? What I really want is a way to
limit the people who get to my web site by using a userid/password stored
in a database and then and only then can they get at my documents.
Currently we use NT security with one userid/password which isn't a good
solution. We have people coming and going quickly so we need a better way
to do this. And putting the users in NT just seems a pain.

Thanks for you help.

J.


Apr 30 '07 #3
Mufasa,
Also, in ASP.NET 2.0, you have the option of adding the following to your
httpHandlers:

<add path="*" verb="GET,HEAD,POST" type="System.Web.DefaultHttpHandler"
validate="True" />

This will cause ASP.NET to process all unknown extensions through the
Authenticate and AuthorizeRequest events in the execution pipeline.
Again, I will refer you to the same URL which has more information on this:

http://www.leastprivilege.com/Protec...hASPNET20.aspx

--
Page Brooks
www.explosivedog.com
"Page Brooks" <NO**************@gmail.comwrote in message
news:u$**************@TK2MSFTNGP02.phx.gbl...
Mufasa,
Since pdfs and other files do not pass through the ASP.NET processing
pipeline forms authentication will not protect these types of files.
However, there are several ways to prevent IIS from serving up files to
unauthenticated users. One way is to use the HttpForbiddenHandler. See
the following link:

http://www.leastprivilege.com/Protec...hASPNET20.aspx
--
Page Brooks
www.explosivedog.com
"Mufasa" <jb@nowhere.comwrote in message
news:uM**************@TK2MSFTNGP05.phx.gbl...
>>I have a website where there is a login screen on it. All works fine. As
part of the website I have links to some pdfs, htmls, jpgs, and assorted
other stuff. I have found if you know the name of the file (or login, and
copy the link) you can get at the file without logging in.

I verified this by pulling up one of my pfds copying the url, closing
down all of IE and then starting IE and putting in the url.

Lo and hehold - the file is there.

Is there anyway to stop this behavior? What I really want is a way to
limit the people who get to my web site by using a userid/password stored
in a database and then and only then can they get at my documents.
Currently we use NT security with one userid/password which isn't a good
solution. We have people coming and going quickly so we need a better way
to do this. And putting the users in NT just seems a pain.

Thanks for you help.

J.



Apr 30 '07 #4
Thanks everybody. I got it to work.

J.

"Page Brooks" <NO**************@gmail.comwrote in message
news:u$**************@TK2MSFTNGP02.phx.gbl...
Mufasa,
Since pdfs and other files do not pass through the ASP.NET processing
pipeline forms authentication will not protect these types of files.
However, there are several ways to prevent IIS from serving up files to
unauthenticated users. One way is to use the HttpForbiddenHandler. See
the following link:

http://www.leastprivilege.com/Protec...hASPNET20.aspx
--
Page Brooks
www.explosivedog.com
"Mufasa" <jb@nowhere.comwrote in message
news:uM**************@TK2MSFTNGP05.phx.gbl...
>>I have a website where there is a login screen on it. All works fine. As
part of the website I have links to some pdfs, htmls, jpgs, and assorted
other stuff. I have found if you know the name of the file (or login, and
copy the link) you can get at the file without logging in.

I verified this by pulling up one of my pfds copying the url, closing
down all of IE and then starting IE and putting in the url.

Lo and hehold - the file is there.

Is there anyway to stop this behavior? What I really want is a way to
limit the people who get to my web site by using a userid/password stored
in a database and then and only then can they get at my documents.
Currently we use NT security with one userid/password which isn't a good
solution. We have people coming and going quickly so we need a better way
to do this. And putting the users in NT just seems a pain.

Thanks for you help.

J.



May 1 '07 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
by: Billy Jacobs | last post by:
I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms...
2
by: Senthil | last post by:
1. Created a new C# web application project 2. Change the name of webform1 to login.aspx 3. And in the .cs file change the name of the class to login, and include System.web.security namespace....
2
by: VR | last post by:
Hi, I am using Forms type of authentication, but having problems redirecting users to default page after they get authenticated. My default page is default.aspx, but it's in 'public'...
2
by: Eric | last post by:
I am trying to build an app where the stuff in the root directory is open to all, but anything under the Restricted directory requires you to login and I want to use Forms to do it. I'm having...
12
by: Brett Robichaud | last post by:
Is anyone familiar with this error? I have this running just fine on my local machine but when I pushed it out to our development server I get this error. I have no idea what it is saying. Any...
5
by: Gavin Stevens | last post by:
I'm trying to figure out the ASP.NET Forms Auth I have 3 or 4 pages i want to allow anonymous access to.. Then I have 5 or 6 pages I placed in another directory in the webproject. These I want...
2
by: Thomas Scheiderich | last post by:
I am trying to set up forms authentication in my IIS pages. I have a folder inside of my root folder I am trying to protect and I am getting an error when a page in the folder is accessed. The...
3
by: Stu Lock | last post by:
Hi, Is there a way of requiring a log in for individual asp.net pages rather than securing a entire directory. I have a web app where there are 100+ pages but only 2 need to be password...
2
by: Evan Basalik | last post by:
I have an ASP.NET application which uses forms authentication. For some reason, after someone logs in, they get a Windows logon dialog whenever they try to access any ASPX files in the...
2
by: thechaosengine | last post by:
Hi eveyone, If anyone could advise on the following I would be truly greatful: I have a fairly standard set up. An IIS 5.1 website set up with anonymous access allowed in all areas of the site...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.