How To Protect Static Files With Form Authentication On IIS 7.5
May 25, 2010
I have a website running on a IIS 7.5 server with ASP.NET 4.0 on a shared host, but in full trust.
The site is a basic "file browser" that allows the visitors to login and have a list of files available to them displayed, and, obviously, download the files. The static files (mostly pdf files) are located in a sub folder on the site called data, e.g. http://example.com/data/...
The site uses ASP.NET form authentication.
My question is: How do I get the ASP.NET engine to handle the requests for the static files in the data folder, so that request for files are authenticated by ASP.NET, and users are not able to deep link to a file and grab files they are not allowed to have?
I have a website on IIS 7. This website has a HttpModule with an AuthorizeRequest event handler. This event does not fire for CSV files and I can access the file without logging in, I guess this is because IIS7 is not configured to require form autentication for CSV files.
I am new at asp sites, and just started to use visual studio...
So every page i make, there is another one (source file) linked to it.
Example...default.aspx and with that the default.aspx.vb or default.aspv.cs. I know what those files are for, but how do i protect them from being downloaded from users... Anyone can just type the url, and get my hard work :-/
I have a site where most of my pages are arranged in business area folders, e.g. Activations, Outdoors, Branding. Each folder has a small web.config that protects the contents against access by people without a role for that business area.
However, basic admin for most business areas is done via Dynamic Data pages. These are only basically protected by not appearing in the menu unless the user has the correct role, but they are still accessible directly via URL, because of the {table}/{Action} routing used by Dynamic Data. What can I do to protect these pages against direct access?
I'm working on a website that streams audio files for the user from a directory on the server machine. How do I protect the audio files from users being able to navigate to the folder and just downloading them locally, but still provide them access to stream them? If I set permissions on the folder via IIS, is there a level that I can set so that the server can stream but not allow anonymous access?I'm sure there is a tutorial or other thread about this out there, it's just hard to search for this specific issue. Any help or a simple link to another thread/tutorial
I have contact form and offten using this form my web site is under attck... someone install some code who try to connect using java scriptand all java scripts that I'm using in my web site are infected...
If a user clicked on a button, which runs a one minute process that MUST stay connected to the file (through the use of FileStream) for writing purpose, and he/she accidentally closed the browser. Currently, when that happens, if the user clicks on the button again, it will return an exception saying that the file is still being used. The part where I write to the file, the code for that is in a class library, which has a destructor (or finalizer, whichever), which calls a Dispose() method. It would usually take about 20 seconds before the file is free again to be used, but is there a way to make it quicker?
I'm thinking the way I'm designing my web app is not the conventional way. How do most people avoid this situation (ie. accidentally closing browser) where a file/resources are not freed up? Do they write into a SQL server instead of a flat file?
I have a webpage where by user can upload jpg file through browse control on my server. Functionality working fine.
I have concern that if any one create virus and assemble it in a form of jpg and upload it on my server which can crash the hard disk or any otherĀ disaster.
Just going to start making a web application and was wondering which was better, or at least what are the main differences between them (as it probably matters what I am using them for)?
I have a requirement to make parts of forms (and sometimes the entire form) read-only based on the user's active-directory group. I already have integrated AD into the dynamic menu, so that users cannot view certain menu itmes based on their AD group - and this is working fine; however, now they want to get down to the control-level on the forms. The first way that comes to mind is for me to just grab the AD groups for the users and then loop through them, and write my own code to make controls read-only or enabled. Is this a good way to do it, or is there another way? Also, while we're on the topic, is there an easy way to protect an entire form, or maybe an entire panel?
I have a database which has form authentication tables for an website [let say website A], now I have attached a new website [Website B] to the same database, in this website [Website B] also I have to provide login/authentication which would be separate from the website A authentication system. So I want to have separate table for the users of new website. Specification:
[code]....
will there be any open source membership provider like we have .NET membership provider [form authentication].
I have a web farm web project, and want to make sure windows authentication is working well without any problem in web farm, can any one give me some web sites or information about that?
I needed information regarding the capabilities & integration of AzMan tool with Asp.net.Currently, I got a Sharepoint 2007 website along with ASP.NET 2008 where I am using Form Based Authenication.Now, the requirement is any user within a domain registered in AD should be able to login in website through intranet.
Can I acheive this using AzMan, or I need to create two websites one with FBA for internet users and the other one for the intranet users with AD authenication. Also my intenet website is deployed and in use where usermapping and roles are already created, so using this tool what will be the impact on existing webiste.
I am building a web application that will not only require a standard user/pass authentication, but users will need to reside at certain locations to authenticate. My initial thought is to have those locations set up with static ips, that I can look for in the request for authentication. I am mostly a programmer and not an expert in http and iis. I am hoping to get some good advice as to what the pros and cons to this approach will be. Also, VPN to the web server is not an option. This web application will be exposed to the web.
I have a class that is creating an instance of StreamReader to an xml file on the local filesystem. It may be possible that this same file is requested multiple times per-second.
I was wondering whether I need to manually add this file to the System.Web.Cache and read it from there, or whether Windows itself is clever enough to cache the item itself so that it 'knows' when ASP.NET requests this file the second/third etc time that it doesnt have to do a disk seek/read operation and pulls it from its own cache?
This article: http://dotnetperls.com/file-read-benchmarks seems to back this up, but this: article:
[URL](although not discussing from a performance perspective, and maybe for other reasons entirely) lists how to add a physical file to the cache.
I use a Masterpage (asp.net webforms) on my site and I woluld like to implement caching of some static files, like javascript, css etc.
I've tried adding the following to my page_load (in the masterpage) but when I use Fiddler the static files are still under "no-cache".
protected void Page_Load(object sender, EventArgs e) { // Set cache for 1 hour on all computers and servers. // ... Proxies, browsers, and your server will cache it. Response.Cache.SetCacheability(HttpCacheability.Public); Response.Cache.SetMaxAge(new TimeSpan(1, 0, 0)); }
I just want the url /style/style.css to point to another static file on the webserver..
I'm getting this error:
There is no build provider registered for the extension '.css'. You can register one in the <compilation><buildProviders> section in machine.config or web.config. Make sure is has a BuildProviderAppliesToAttribute attribute which includes the value 'Web' or 'All'.
I am new to MVC. I am using MVC and VS2010. I am trying to publish my website to a remote server. All files are copied except some static pages i have kept inside a folder. for e.g. i have a folder named Content. I have around 5 .pdf files inside this folder and also a .css. When i do Build->Publish <appname> all the files including the .css is copied but not the .pdfs.
I had a look through some of the older questions, but I can't find anything.I have a Wildcard HttpHandler on my web app which is processing the url and working out if it can do anything with itIf it can't, then the StaticFile Handler should pick it up and just serve it as a static file (like an html file).The problem is, it's going through the Wildcard handler, then seemingly not going to the StaticFileHander. Is there something I need to do to the Wildcard handler, or in the web config?This is my web.config:
I was under the impression that static files (CSS, images, @font-face files, etc) bypassed ASP.NET completely, and were served directly by IIS. However, my BeginRequest event handler is being called for every HTTP request, including those for static files. This concerns me because I'm creating an Entity Framework data context to be used for the lifetime of each request in that event handler. I don't want to create those contexts if they're never going to be used.
I'm using IIS 7 on Windows 7 Ultimate with so special handler mappings defined. Do I have it wrong? Should these events be firing?
