469,906 Members | 2,215 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,906 developers. It's quick & easy.

Using forms authentication, but you can get at a file if you know the name of it.

I have a website where there is a login screen on it. All works fine. As
part of the website I have links to some pdfs, htmls, jpgs, and assorted
other stuff. I have found if you know the name of the file (or login, and
copy the link) you can get at the file without logging in.

I verified this by pulling up one of my pfds copying the url, closing down
all of IE and then starting IE and putting in the url.

Lo and hehold - the file is there.

Is there anyway to stop this behavior? What I really want is a way to limit
the people who get to my web site by using a userid/password stored in a
database and then and only then can they get at my documents. Currently we
use NT security with one userid/password which isn't a good solution. We
have people coming and going quickly so we need a better way to do this. And
putting the users in NT just seems a pain.

Thanks for you help.

J.
Apr 30 '07 #1
4 1217
Have you annotated your classes and/or methods with attributes that issue
security challenges, ensuring that users are logged in, and members of the
correct role before accessing the class/method? Something like (from msdn):

[PrincipalPermissionAttribute(SecurityAction.Demand , Name="Bob",
Role="Supervisor")]
or (from one of our applications (slightly altered to protect the
innocent)[PrincipalPermissionAttribute(SecurityAction.Demand ,
Authenticated=True, Role="Supervisor")]Or you can do the same thing
programmatically using things like IsInRole().You catch any security
exceptions that get thrown as a result of these in a convenient place, like
Global.asax

HTH
Peter

"Mufasa" <jb@nowhere.comwrote in message
news:uM**************@TK2MSFTNGP05.phx.gbl...
>I have a website where there is a login screen on it. All works fine. As
part of the website I have links to some pdfs, htmls, jpgs, and assorted
other stuff. I have found if you know the name of the file (or login, and
copy the link) you can get at the file without logging in.

I verified this by pulling up one of my pfds copying the url, closing down
all of IE and then starting IE and putting in the url.

Lo and hehold - the file is there.

Is there anyway to stop this behavior? What I really want is a way to
limit the people who get to my web site by using a userid/password stored
in a database and then and only then can they get at my documents.
Currently we use NT security with one userid/password which isn't a good
solution. We have people coming and going quickly so we need a better way
to do this. And putting the users in NT just seems a pain.

Thanks for you help.

J.


Apr 30 '07 #2
Mufasa,
Since pdfs and other files do not pass through the ASP.NET processing
pipeline forms authentication will not protect these types of files.
However, there are several ways to prevent IIS from serving up files to
unauthenticated users. One way is to use the HttpForbiddenHandler. See the
following link:

http://www.leastprivilege.com/Protec...hASPNET20.aspx
--
Page Brooks
www.explosivedog.com
"Mufasa" <jb@nowhere.comwrote in message
news:uM**************@TK2MSFTNGP05.phx.gbl...
>I have a website where there is a login screen on it. All works fine. As
part of the website I have links to some pdfs, htmls, jpgs, and assorted
other stuff. I have found if you know the name of the file (or login, and
copy the link) you can get at the file without logging in.

I verified this by pulling up one of my pfds copying the url, closing down
all of IE and then starting IE and putting in the url.

Lo and hehold - the file is there.

Is there anyway to stop this behavior? What I really want is a way to
limit the people who get to my web site by using a userid/password stored
in a database and then and only then can they get at my documents.
Currently we use NT security with one userid/password which isn't a good
solution. We have people coming and going quickly so we need a better way
to do this. And putting the users in NT just seems a pain.

Thanks for you help.

J.


Apr 30 '07 #3
Mufasa,
Also, in ASP.NET 2.0, you have the option of adding the following to your
httpHandlers:

<add path="*" verb="GET,HEAD,POST" type="System.Web.DefaultHttpHandler"
validate="True" />

This will cause ASP.NET to process all unknown extensions through the
Authenticate and AuthorizeRequest events in the execution pipeline.
Again, I will refer you to the same URL which has more information on this:

http://www.leastprivilege.com/Protec...hASPNET20.aspx

--
Page Brooks
www.explosivedog.com
"Page Brooks" <NO**************@gmail.comwrote in message
news:u$**************@TK2MSFTNGP02.phx.gbl...
Mufasa,
Since pdfs and other files do not pass through the ASP.NET processing
pipeline forms authentication will not protect these types of files.
However, there are several ways to prevent IIS from serving up files to
unauthenticated users. One way is to use the HttpForbiddenHandler. See
the following link:

http://www.leastprivilege.com/Protec...hASPNET20.aspx
--
Page Brooks
www.explosivedog.com
"Mufasa" <jb@nowhere.comwrote in message
news:uM**************@TK2MSFTNGP05.phx.gbl...
>>I have a website where there is a login screen on it. All works fine. As
part of the website I have links to some pdfs, htmls, jpgs, and assorted
other stuff. I have found if you know the name of the file (or login, and
copy the link) you can get at the file without logging in.

I verified this by pulling up one of my pfds copying the url, closing
down all of IE and then starting IE and putting in the url.

Lo and hehold - the file is there.

Is there anyway to stop this behavior? What I really want is a way to
limit the people who get to my web site by using a userid/password stored
in a database and then and only then can they get at my documents.
Currently we use NT security with one userid/password which isn't a good
solution. We have people coming and going quickly so we need a better way
to do this. And putting the users in NT just seems a pain.

Thanks for you help.

J.



Apr 30 '07 #4
Thanks everybody. I got it to work.

J.

"Page Brooks" <NO**************@gmail.comwrote in message
news:u$**************@TK2MSFTNGP02.phx.gbl...
Mufasa,
Since pdfs and other files do not pass through the ASP.NET processing
pipeline forms authentication will not protect these types of files.
However, there are several ways to prevent IIS from serving up files to
unauthenticated users. One way is to use the HttpForbiddenHandler. See
the following link:

http://www.leastprivilege.com/Protec...hASPNET20.aspx
--
Page Brooks
www.explosivedog.com
"Mufasa" <jb@nowhere.comwrote in message
news:uM**************@TK2MSFTNGP05.phx.gbl...
>>I have a website where there is a login screen on it. All works fine. As
part of the website I have links to some pdfs, htmls, jpgs, and assorted
other stuff. I have found if you know the name of the file (or login, and
copy the link) you can get at the file without logging in.

I verified this by pulling up one of my pfds copying the url, closing
down all of IE and then starting IE and putting in the url.

Lo and hehold - the file is there.

Is there anyway to stop this behavior? What I really want is a way to
limit the people who get to my web site by using a userid/password stored
in a database and then and only then can they get at my documents.
Currently we use NT security with one userid/password which isn't a good
solution. We have people coming and going quickly so we need a better way
to do this. And putting the users in NT just seems a pain.

Thanks for you help.

J.



May 1 '07 #5

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

2 posts views Thread by VR | last post: by
12 posts views Thread by Brett Robichaud | last post: by
5 posts views Thread by Gavin Stevens | last post: by
2 posts views Thread by Thomas Scheiderich | last post: by
2 posts views Thread by Evan Basalik | last post: by
1 post views Thread by Waqarahmed | last post: by
reply views Thread by Salome Sato | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.