Folder security/Denying downloads

This is an open forum for any mojoPortal topics that don't fall into the other categories.

This thread is closed to new posts. You must sign in to post in the forums.

11/17/2009 11:05:58 PM

dmegalo

Total Posts 1

View Posts

Folder security/Denying downloads

Is it possible, using only Forms authentication, to keep download links protected from anonymous users? The download links are on a page that requires logon to view but if the url for the link is known, an anonymous user can paste the link in the address bar and download the file. I'd liek to secure the folder and am running out of ideas.

Running Mojoportal 2.3.1.9, MSSQL2008, Vista + IIS7.

Any help would be appreciated.

11/18/2009 7:32:52 AM

Joe Audette

Total Posts 18439

View Posts

Re: Folder security/Denying downloads

Hi,

You could use the Shared File feature in mojoPortal. Put it on a page protected by the "Authenticated Users" role and then only authenticated users will be able to view the page or download files you share.

The problem with links to various fies in the file system is that unless .NET is configured to serve all file types, IIS is going to serve those files and the request is not handled by .NET code so there is no opportunity to enforce any rules.

What the Shared Files feature does, is actually store files on disk with a .config extension which is by default a .NET extension that is protected so .config files will not be served by an http request for the file. If the user has view permission then the Shared Files feature will Response.WriteFile the file changing it back to its original name in the process. So even if someone knew the url to the file they could not retrieve it without permissions.

Hope it helps,

Joe

You must sign in to post in the forums. This thread is closed to new posts.