Security :: Blocking Access To Files From URL
Jun 15, 2010
I have built an online CMS that is forms authenticated. The CMS allows administrators to upload files to the website. These files are stored outside of the Forms Authenticated section of the site so that they can be accessed from another site I have built. This other site is also forms authenticated, so users must log in and then they can access the files on the CMS site. site1.com: CMS for administrators only. Site stores all the files. site2.com: Access site.
My second website (The access site), is basically an empty shell that is filled with all of its content through the CMS using an SQL database and then displayed on the page. This works fine as only authenticated users have access to the interface used to view and download the files. My problem was, even though there is no public interface to find the files, someone could surely type [URL] and the video would be available to them. I dont really know what to do here, is there any way that people could be blocked from retrieving the files like this?
View 1 Replies
Similar Messages:
Dec 9, 2010
I have an ASP.NET MVC application that use the default ASP.NET Membership Provider. My customer asked to implement a feature that prevent users to log in (for example for users that resign and leave the company). I cannot use the IsApproved flag of the Membership table because that field is used to confirm user egistration. Is there any built in functionality for doing this? What are your experiences in scenarios like this?
View 1 Replies
Jun 9, 2010
I have a client who wants me to block his site from certain countries. Each month I add all the new IP address ranges for these countries into a sql database. If the user has a blocked IP address, the site directs them to a phoney 504 error page. This way it doesn't appear that the site is being blocked, but rather is just having difficulites. Thats the way we want it.
It works fine however, there are some users (5%) who get a 500 error. No rhyme or reason. It works across all browsers and operating systems. I have no way of finding out why from my hosting service. I can't dupliate it. I have the following code that runs at Page_Init
[Code]....
View 10 Replies
Nov 19, 2010
I want to increase the security of my website, does creating http module that block certain ip address will increase security?
Since IP Address can be manipulated if I'm not mistaken, I'm not sure that creating HTTP Module will help.
View 1 Replies
Sep 15, 2010
I'm developing a MVC2 application and using Forms Authentication on it. The scripts, images and styles are all blocked to unlogged users and, consequently, the login page looks awful. It works well local, the problem is when I publish to the server. Does anyone has any idea WHY? The server IIS is version 7.5
<configuration>
<system.web>
<globalization culture="pt-BR" uiCulture="pt-BR" />
<httpRuntime requestValidationMode="2.0"/>
<customErrors mode="Off" />
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
<pages>
<namespaces>
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Routing" />
<add namespace="Admin.Models" />
</namespaces>
</pages>
<authentication mode="Forms">
<forms name="AGAuth" loginUrl="~/Home/Login" timeout="120" />
</authentication>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0" newVersion="2.0.0.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
<connectionStrings>
<add name="DBContainer" connectionString="metadata=res://*/Database.DB.csdl|res://*/Database.DB.ssdl|res://*/Database.DB.msl;provider=System.Data.SqlClient;provider connection string="Data Source=thewebserver.com,5158;Initial Catalog=thedatabase;Persist Security Info=True;User ID=theuser;Password=thepassword;MultipleActiveResultSets=True"" providerName="System.Data.EntityClient" />
</connectionStrings>
</configuration>
View 9 Replies
Aug 19, 2010
Here is my dilema, on my site i have a WordPress Audio player (http://wpaudioplayer.com/standalone) that plays my mp3's.
It loads the Mp3's in by javascript...example below:
AudioPlayer.embed("audioplayer_7", { soundFile: "/Files/Music/[name of file].mp3" });
This file name is clearly visible in the browser source. Not a problem, however this means that any user can legitimately browse to the file directly and download it.
Now i still need the mp3 player (which is flash) to have access to the file but if a user was to try accessing the file directly, they would not be allowed access to it.
I am not sure how to go about this, i am circling the idea of a httphandler but not sure if this is sufficiant to stop the direct access to the file.
View 2 Replies
Aug 2, 2010
I run a simple .aspx website on a Windows Server 2008 machine.There is no impersonation, and System.Security.Principal.WindowsIdentity.GetCurrent().Name returns NT AUTHORITYNETWORK SERVICE, which it the account which the application pool runs.I tried to test the security of the application and server by removing file permissions to the .aspx files. I was greatly worried when the website continued to run without problem (it should not have been able to read the .aspx files).By turning on file level auditing, I discovered that the .aspx files were being read by the machine$ account (if the machine is called Serv1, then the files would be read by the Serv1$ account, which seems to have access to all files on the local machine).Is this a security breach or is this behaviour by design ?
View 4 Replies
Aug 11, 2010
I have a folder with username and password over it.I wanna make a page where i can access files under that folders in .net and be able to download them.How to code that in VB.net?
View 2 Replies
Mar 7, 2011
My restricted files are all stored in ~/Secured folder on the root. Authorized users have no trouble accessing aspx files in that folder. Recently I added a part of an application whose files I wanted to keep separate and created a ~/Secured/HR folder. I am getting a "resource not found" error trying to use any aspx file in HR folder even after user successfully logs in, as if the file does not exist at all. Here is my web.config security settings:
[Code]....
Do I need to configure security for that folder separately?
View 1 Replies
Jan 29, 2010
I have a web app, which contains a folder Uploads, to which users (authenticated) upload their files (for some reason it has to be a folder in the root of the web app).I want to deny access to this folder and files to all non-authenticated users.
In my web.config I have:
[Code]....
and everything seems to work in development, but on a staging server it redirects non-authenticated users to login page ONLY from aspx pages, but not when entering the url to the file in Uploads folder.
View 5 Replies
Aug 18, 2010
Why can I still access files inside a forms authenticated part of my site? Any webpages say that you need to login to view them, but people can still access images by typing in the address bar. I am using forms authentication with my own database, so none of the aspnetdb services like membership roles etc. Is this a bad way to do things because I'm pretty deep into it now and it would be very difficult to change.
View 16 Replies
Jul 1, 2010
I was following the tutorials from this two sites:
http://www.15seconds.com/issue/070104.htm
http://aspnet.4guysfromrolla.com/articles/020404-1.aspx
Following the first site, it had worked but when I´ve moved the pages and files to other folders and set the web.config file on this folder, now it won´t work at all!!!
The file is an *.swf object. I did put the asapi.dll to map the extension on the website root, I´ve put the
[Code]....
on the web.config new folder and on the web.config website´s root.
It won´t work!!! I can access the file directly!!! on the web.config of the folder that contains the file, there is a <deny users="*" /> line.
View 4 Replies
Mar 23, 2011
I need a way to block users from their IP if necessary. What's the best way to approach this? Can I use Request.ServerVariables["REMOTE_ADDR"] and store the ip address as a string in the DB?
View 3 Replies
Oct 5, 2010
I trying dotnetzip on localhost everything works fine.but on a real dotnet hosting it raises error :
Access to the path 'C:inetpubvhostslahblah.comsubdomains
aporhttpdocsDotNetZip-luqevaxu.tmp' is denied.
using (ZipFile zip = new ZipFile(Server.MapPath("~")+"/a.zip"))
{
zip.AddFile(Server.MapPath("~")+"/deneme.txt");
zip.Save();
}
View 1 Replies
Mar 3, 2010
I am encountering issues in the navigation defined in a master page which are being blocked by validators pages that inherit from the master. How can I disable these validators so that they do not prevent my button actions in the master page?I am using AJAX controls in child pages.
View 2 Replies
Nov 18, 2010
We have a page that makes a request to a 3'rd party web service. When under heavy load this response time extends significantly, however the 3'rd party reports back that there times for processing remains constant. There timings show that from the time they receive a request to the time they send it back is always around 1.5-2.0 seconds. Now we are experiencing wait times of over 20 seconds. My understanding of ASP.NET is that each request will run on a IIS thread pool thread and make the request to the 3'rd party service return and process. So I don't really understand what could be blocking on our end. Is there something I am missing?? Is there a threshold limit beyond IIS that is blocking?
If I am missing something a physical book recommendation that covers this subject would also be a very welcome addition to any answer.
View 2 Replies
Jul 23, 2010
My application is showing lots of thread wait events in the GetScriptReferencesInternal method of ScriptObjectBuilder. I am running a load test with 150 concurrent sessions and in 10 minutes I see 1000 thread block events. Each event stalls the execution of the thread for an average of 6 seconds.
View 2 Replies
Jun 29, 2010
Whenever I use TransmitFile to send a file, the sirte becomes blocked to the user until the file completes. IOW, the user cannot navigate the site.If the user cancels the transfer, it still blocks until the site either times out OR finishes sending the data. I can't tell which, but I know if for example I cancel a 30MB file immediately after starting the download, it takes longer to recover than a 10 MB file.Here is the relevant code:
Response.ContentType = "application/octet-stream";
Response.AppendHeader("Content-Disposition", contdisp);
Response.AddHeader("Content-Length", new FileInfo(fullfilename).Length.ToString());
Response.TransmitFile(fullfilename);
Response.Flush();
View 1 Replies
Mar 1, 2011
I was wondering whether HttpPostedFile.SaveAs function in ASP.NET C# is a blocking call.
View 1 Replies
Aug 18, 2010
I'm writing a simple Intranet application using windows authentication. I want to restrict access to Safe/UCantSeeMe.aspx. I am aware of the AuthorizeAttribute, but this only works on methods. I also found a good post on doing this with the MVC pattern, but I'm not using MVC. This can be done with roles in forms based security. I read on MSDN that using windows based security means roles are based on groups, but it doesn't go into any detail. how can I restrict access to Safe/UCantSeeMe.aspx?
View 1 Replies
Oct 27, 2010
I have implemented role based security in my asp.net 2.0 vb.net application using windows authentication and the windowstokenroleprovider and limiting access to certain pages using the location tag to specific active directory groups.
The issue is that when a user tries to access a page they are not authorized to view it brings up a login prompt and when it does not pass it takes them to the default page that tells them they are not authorized to view the page. I am wondering if there is a way to throw up a custom page that tells them they are not athorized to view the page that I can incorporate into the site itself with the header and so forth? if this page could come up in lieu of the sign in box popping up as well.
View 2 Replies
Apr 24, 2010
[ASP.NET 3.5, FormsAuthentication, SQL Server]
In the Roles table there is Role, and RoleType.
I have 3different roles, 2 of which have sub-roles.
Example
Role----------------------Type
Adminstrator
Subscriber---Basic
Subscriber---Business
I need to implement Code Access Security, and URL based security using the roles & types...
For instance, the (Subscriber/Basic) would need to view a different set of pages, and have different access to things then a (Subscriber/Business).
I think I can handle the Code Access security with a custom attribute, but I am unsure to how enforce a User be apart of 2 roles in the URL Authorization.
I am currently using the web.config to deny/allow access to the directories/pages.
e.g.
/Areas/Admin/web.config
[Code]....
Is it possible to force the user to be apart of 2 roles with this technique?
View 1 Replies
Apr 6, 2010
I'm generating a file on the server which takes some time. For this, I have a hidden iframe which I then set the .src attribute to an aspx file i.e iframe.src = "/downloadFile.aspx"While this is taking place, I'd like to have a call to a web service return the progress. To do this, I thought I could use window.setInterval or window.setTimeout but Javascript seems to be blocked as soon as I set the iframe src attribute.Does anyone know how to get around this or perhaps try a different approach?I have also tried handlers, but the request never gets to the server so I'm assuming is a browser/javascript issue.
//Function that gets the file
function GetFile() {
setTimeout(GetProgress, 1000);
var iframe = document.createElement("iframe");
[code]...
View 2 Replies
Jul 1, 2010
i m using two grid in both gird i have a text box control on which i apply some java script funtion. my broblem is that when i press a tab key then its block my textbox. it means i m not able to press any key in that box even mouse click is not working.
my both grid in a same update panal but when i set focus out of that update panal and back to my text box they are start working properly.
i m applying a Web method on that text box also which call by javascript.3
View 2 Replies
Aug 1, 2010
I have a bookingwith credit card page in my application and users will enter their crdit card details inside the textboxes. but after they enter them and post it the browser cache the data and after that in the same textbox, it can be autocomplated.
View 1 Replies