Security :: Disallow Direct Access To Files?
Aug 19, 2010
Here is my dilema, on my site i have a WordPress Audio player (http://wpaudioplayer.com/standalone) that plays my mp3's.
It loads the Mp3's in by javascript...example below:
AudioPlayer.embed("audioplayer_7", { soundFile: "/Files/Music/[name of file].mp3" });
This file name is clearly visible in the browser source. Not a problem, however this means that any user can legitimately browse to the file directly and download it.
Now i still need the mp3 player (which is flash) to have access to the file but if a user was to try accessing the file directly, they would not be allowed access to it.
I am not sure how to go about this, i am circling the idea of a httphandler but not sure if this is sufficiant to stop the direct access to the file.
View 2 Replies
Similar Messages:
Jan 10, 2011
My ASP.NET application logs transactions (both inside AND outside of databases), and therefore needs read/write access to text files within various directories within the root of the website - in ADDITION to the normal database access.
In this scenario, how can I safely allow my ASP.NET application to write data to the web folders? I have a thread-safe DLL that performs the actual work, so I don't believe I need to worry about multiple sessions writing to the log files at the exact same time - assuming my DLL will only be running in a single instance/process that will be shared between numerous ASP.NET instances/processes/threads.
But I'm more concerned about file access permissions. I've heard that ASP.NET applications generally aren't allowed access to the webserver's local file system, and that this may even restrict my DLL from getting the correct file access. Can I grant my application file-access to the web-driectories?
View 1 Replies
Jun 28, 2010
I need to restrict access to pages based on permission given to roles based user .Roles created dynamically so that i can't restrict thru the WEB config file .i am using the custom sitemap so menu is showns correctly based on roles , but if we enter direct url in address bar we can access that page although its not permitted for the user .is there any other way to redirect to common access restrict page .
View 3 Replies
Dec 28, 2010
I have certain pages in my application that are designed to be accessed only by redirect from other pages, and not directly(i.e they must get a query string from other page, otherwise there is an exception).
So I want to prevent users from accessing them by typing the URL, but I want them to be available by redirect.
View 1 Replies
Mar 17, 2010
I have a security issue in my web application where user can enter malicious data/can change the page path directory. To avoid these i want to restrict the user by accessing/typing in the URL.
View 5 Replies
Oct 15, 2010
Im using an aspx page as the srcl for an image in the host page to serve a dynamically generated image to the user based on parameters they supply
ie
<img alt="" src="generateimage.aspx" id="imagegen"/></div>
Id like for people only to access the content via default.aspx and not the dynamically generated content generateimage.aspx. Any attempt to browse here directly should be redirected to an error page
View 1 Replies
Feb 15, 2011
I have a web app developed using role & membership provider...
this is my web.config file
<authentication mode="Forms">
<forms loginUrl="Forms/LogIn.aspx" name=".ASPXFORMSAUTH" defaultUrl="Forms/main.aspx" timeout="30"></forms>
</authentication>[code]....
So i would like that the page "pag1.aspx" is reached bypassing the "main.aspx" so If I try to digit directly on the server http://localhost/forms/pag1.aspx?C=159 ......correctly appears the login page....and the URL became..
http://localhost/Forms/LogIn.aspx?ReturnUrl=%2fForms%2fpag1.aspx%3fC%3d151&C=159 and after login I can see correctly the page1.aspx . when I try to reach the page from my browser..I digit
http://myserver/forms/pag1.aspx?C=159 .... the login page appears...but the url became..
http://myserver/Forms/main.aspx
and after login I cannot see the page1.aspx....but main.aspx
View 1 Replies
May 24, 2010
In one of my website I need to prevent direct access to non .aspx pages in a protected folder. Authentication works fine if I am going to [URL] but in one case my users are uploading html pages in that folder and if somebody cut and paste [URL]the page can be seen without the authentication process to be activated.
View 6 Replies
Sep 22, 2010
I'm working on a website where I need to prevent the direct linking to a few pdf files. I'm using ASP.net 2.0. Is there an easy way in code to do this? or some simple IIS setting?
Right now i'm just using a standard anchor tag to link to the files. i can validate the user on the page containing the anchor tag but that still doesn't stop the user from nabbing the url and passing it on to someone else.
View 4 Replies
May 24, 2010
I have a ASP.NET page called admin.aspx that needs to be protected from direct access.
I want it to be accessed only when the user enter his name & password in another page called login.aspx I'm working in ASP.NET with Visual Basic .NET 2008,how to do it.
View 4 Replies
Mar 11, 2010
I have a webpage errors.aspx that needs to be protected from direct access. I want it to be accessed only when redirected to by another web page.
View 3 Replies
Jun 15, 2010
I have built an online CMS that is forms authenticated. The CMS allows administrators to upload files to the website. These files are stored outside of the Forms Authenticated section of the site so that they can be accessed from another site I have built. This other site is also forms authenticated, so users must log in and then they can access the files on the CMS site. site1.com: CMS for administrators only. Site stores all the files. site2.com: Access site.
My second website (The access site), is basically an empty shell that is filled with all of its content through the CMS using an SQL database and then displayed on the page. This works fine as only authenticated users have access to the interface used to view and download the files. My problem was, even though there is no public interface to find the files, someone could surely type [URL] and the video would be available to them. I dont really know what to do here, is there any way that people could be blocked from retrieving the files like this?
View 1 Replies
Aug 2, 2010
I run a simple .aspx website on a Windows Server 2008 machine.There is no impersonation, and System.Security.Principal.WindowsIdentity.GetCurrent().Name returns NT AUTHORITYNETWORK SERVICE, which it the account which the application pool runs.I tried to test the security of the application and server by removing file permissions to the .aspx files. I was greatly worried when the website continued to run without problem (it should not have been able to read the .aspx files).By turning on file level auditing, I discovered that the .aspx files were being read by the machine$ account (if the machine is called Serv1, then the files would be read by the Serv1$ account, which seems to have access to all files on the local machine).Is this a security breach or is this behaviour by design ?
View 4 Replies
Aug 11, 2010
I have a folder with username and password over it.I wanna make a page where i can access files under that folders in .net and be able to download them.How to code that in VB.net?
View 2 Replies
Mar 7, 2011
My restricted files are all stored in ~/Secured folder on the root. Authorized users have no trouble accessing aspx files in that folder. Recently I added a part of an application whose files I wanted to keep separate and created a ~/Secured/HR folder. I am getting a "resource not found" error trying to use any aspx file in HR folder even after user successfully logs in, as if the file does not exist at all. Here is my web.config security settings:
[Code]....
Do I need to configure security for that folder separately?
View 1 Replies
Sep 28, 2010
how to redirect to particular page after login. I have login,EDetails,home page..
1.If the user login very first time(suppose he does not have any personal details) he should be directed to EDetails.aspx
2.User who submitted the personal details already should be redirected home.aspx page.
I have 2 tables later i will add more,1.login table,2.employee detailed table.I am using Login control for login page
I am using Version ASP.Net3.5 with MySql database, Code where i am redirecting in login page
Protected Sub Login1_Authenticate(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.AuthenticateEventArgs) Handles Login1.Authenticate
If YourValidationFunction(Login1.UserName, Login1.Password) Then
Login1.Visible = False
Session("UserName") = Login1.UserName
Response.Redirect("EDetails.aspx", True)
Else
e.Authenticated = False
End If
End Sub
View 5 Replies
Jan 29, 2010
I have a web app, which contains a folder Uploads, to which users (authenticated) upload their files (for some reason it has to be a folder in the root of the web app).I want to deny access to this folder and files to all non-authenticated users.
In my web.config I have:
[Code]....
and everything seems to work in development, but on a staging server it redirects non-authenticated users to login page ONLY from aspx pages, but not when entering the url to the file in Uploads folder.
View 5 Replies
Jun 7, 2010
I am an experienced developer but I am new to web application development. Now I am in charge of developing a new web application and I could really use some input from experienced web developers out there.
I'd like to understand exactly what experienced web developers do in the code-behind pages. At first I thought it was best to have a rule that all the database access and business logic should be performed in classes external to the code-behind pages. My thought was that only logic necessary for the web form would be performed in the code-behind. I still think that all the business logic should be performed in other classes but I'm beginning to think it would be alright if the code-behind had access to the database to query it directly rather than having to call other classes to receive a dataset or collection back.
View 2 Replies
Mar 30, 2011
I am using IIS7's URLRewrite feature to hide the .aspx extension in my ASP.NET WebForms application's URLs.
I'm using the following configuration:
[code]....
I can now browse to:
[URL]
and this is rewritten to:
[URL]
This preserves the "pretty" url in the browser address bar. I have also updated all my links on the site to use the extensionless URLs.
The problem is that the underlying .aspx pages can still be accessed directly and I'd like to prevent this.
If a user browses to [URL] I'd like it to either redirect/rewrite to [URL], or at the very least just return a "Page not found".
Update:
I managed to get this working by redirecting all .aspx pages to the home directory. This isn't ideal as I'd prefer to send them to the non-.aspx version, but it will do for now.
<rule name="Block .aspx" stopProcessing="true">
<match url=".aspx" />
<action type="Redirect" url="/" />
</rule>`
How do I rewrite and redirect URLs that directly address .aspx pages to my friendly URL format?
View 2 Replies
Aug 18, 2010
Why can I still access files inside a forms authenticated part of my site? Any webpages say that you need to login to view them, but people can still access images by typing in the address bar. I am using forms authentication with my own database, so none of the aspnetdb services like membership roles etc. Is this a bad way to do things because I'm pretty deep into it now and it would be very difficult to change.
View 16 Replies
Jan 27, 2011
How to Direct Users to specific Page By roles?
View 10 Replies
Nov 22, 2010
I am trying to put SSL on my website.
My problem is that my site dynamically loads different images and CSS from other URL's. These URL's are also hosted on my dedicated server.
To avoid the popup on the sicure site (ssl) that there are some not sicure elements on the page, I would like to make a direct path to the images (d:inetpubanothersite.comwwwrootimagesmyimage.jpg) instead of <img src = "http://www.anothersite.com"
View 2 Replies
Apr 1, 2010
In the web.config file i have put some code in so that when users log in they will be re-directed to another part of the website which only registered users can access. for the admin part only the admin can log in and it takes him to the admin section and that works fine. it is only this that is causing me problems.
the code i inserted for which the user needs to be diverted to is:
<location path ="UserLoggedInFindUs.aspx">
<system.web>
<authorization>
<deny users ="?"/>
[Code]....
View 11 Replies
Feb 8, 2011
I'm looking for a regex that will allow Alpha Numeric and most all special characters except white space. It should be usable in c#. It would be nice if .net supported posix style but I can't seem to get it to work.
View 1 Replies
Aug 10, 2010
Is there a way to disallow the asp:Literal from outputing HTML ?
If I input the text <b>Hello world</b> I want to show it just like that, and not in bold.
If possible I don't want to extend it, because I would have to change the whole project.
View 3 Replies
