Security :: Securing Files Using Handler And App_Data Folder?
Sep 16, 2010
I have secured some files on my webserver by putting them into the App_Data folder in the root (I do not have the option to secure folders using the ASAPI filter)The user gets access to these files by requesting them through a handler, fx. by requesting ~/Handler.ashx?file=App_Data/MySubFolder/MyFile.jpgNow, I want to make all the content in a specific folder called "Members" (a single subdirectory of the App_Data folder) available only by passing a specific password. That is by requesting ~/Handler.ashx?file=App_Data/MySubFolder/MyFile.jpg&password=xxxxIn my Handler.ashx I have written some logic seeking if InStr(context.Request.QueryString("file"), "Members") = 0 before sending the file.If inStr <> 0 a password is required.Is this a good way to secure a folder in and its content? Is there a way of getting access anyway, like using some kind of "sub-directory" line in the path (the same way as you can request parent directory by using "../../Myfile.jpg)? I know there will be a problem if someone fx. legitimately tries to access the file App_Data/Members.jpg
The following code is used to add the asp membership tables to an already existing database instead of creating a seperate database for membership and having two databases in the application.
aspnet_regsql.exe -S .SQLEXPRESS -U username -P password -d databsename -A all
It works fine by adding the membership tables to the existing database that is located in the c drive, program files sqlserver folder.
But my database however is not in the c drive but located in my asp website app_data folder, so the above code does not give any error and the tables are not added after I run it. how can I now add the membership tables using the above code when my database is located in the website app_data folder,
I am having problems getting the security.aspx to load up on my primary development computer which is using Windows 7 Ultimate and Windows IE 8. Clicking on the ASP.NET Configuration icon from the IDE in the Solution Explorer within Visual Web Developer 2008 Express Edition loads up default.aspx with no problem. But when I click on the "Security" hyperlink to access "security.aspx" I get a message along the lines of "The configured SQL data source provider is not properly configured". It goes on to state a list of potential reasons for this problem. One that includes not having the proper credentials or permissions. Im almost 100% sure it has something to do with permissions because I can't even get to the "security.aspx" page from opening a new empty project. I have recently installed Visual Web Developer 2008 Express Edition on my laptop which is running Vista with all latest updates and this issue does "not" exists. I can click the "ASP.NET" icon, load up "default.aspx" and click "Security" and it loads the page with absolutely no issues.
I have discovered a weird workaround but I don't like having to do this. If I add the following lines to my "web.config" file from any given project I can get to the "security.aspx" page without getting any SQL messages about improper configuration or permissions.
Basically, what I have to do to get to the security page to load without error is add a remove statement and then I just cut'n'paste almost the exact same connectionString from machine.config in the Microsoft.netFrameWorkV2.0.5027config directory. This does away with the "Improperly configured SQL datasource message" and gets me a new error message along the lines of "Could not create a SQL instance". My memory is fuzzy on exact error messages since Im not at development computer right now. However, when I change the User Instance attribute from true to false, then I have success at last.
I have a folder with png images that are not shared or public (the folder is outside my application folder). Now I want my users to be able to view thoose images only if they are logged in (different users, different images). All images have a name that correspond to the users id. My idea is to stream thoose images into the asp:Image control, is that possible? How do I do that? Other (better) solutions?
Pardon if this is a very dumb question, but I was trying to migrate an existing ASP application to asp.net MVC, and followed the procedure from the music store tutorial (http://www.asp.net/mvc/tutorials/mvc-music-store-part-4), which involves adding the database to the App_Data folder. (I had to restart my machine before it would work, since otherwise, Visual Studio thought the database was being used by another application.)
Now when I check in Windows Explorer, it looks like the database file was literally copied into the App_Data folder, and now I have two mdf files on my hard drive with the same name. What is going on there?
Will my MVC app ignore the original (real) database and use it's own private copy instead? (That would be bad.) Or is the new copy just for reference when using wizards that generate entity classes etc.? If the latter, what is the procedure when the real database is modified, to update the application code?
In my website I have a page to upload files. It works fine when I run the website on my local machine and also in visual studio in the server. But, I cannot upload files when I access the website through the browser. I have given all the pemissions I know to the upload folder like - ASPNET, Network Service and IUSR. I am using IIS 6. It is a dedicated hosting. I can access all the pages, but only the upload does not upload files to the folder and it goes to the error page (but I don't know what is the error).
I have put a css file in App_Data folder and referrenced it properly in the page to be used. But when I browse the page then it does get loaded and page is shown without styling. Well I know why it is happening because Asp.Net run time blocks access to App_Data folder at run time. But I wanna ask that how we can make it working that is I put the css file in App_Data folder and it still works.
I am building an ASP.NET 3.5 Web Application and I am NOT using the membership provider for security. In the application I have a role named Admin and all the files for this role are inside the Security folder in the project. Currently for all the pages inside the security folder I am checking to see if the logged in user's role is an Admin or not. This to me seems very redundant, can do something like "If the user is requesting a page inside the security folder then check his role".
I can see the AdventureWorks MDF file in my Server Explorer window in VS, but when I try to add this database file as an Existing item to my App_Data folder in the Solution Explorer it gives me an error saying that this file is in use. Is it possible for me to add my Adventureworks database to the App_data folder? I am running a 32-bit XP using SQL Server 2005 Express.
I have a few questions regarding the "special" ASP.NET folders in Visual Studio web projects.
Adding an App_Data folder in Visual Studio is present, but grayed out in my C# web project, why? What are the meanings of the various ASP.NET "special" folders?
App_GlobalResources App_LocalResources App_Data App_Browsers Themes - I know this is used to contain stylesheets for a particular theme and is then specified in the web.config or page (if I remember right). App_Code - Were these classes that were pre-compiled? Do these ASP.NET folders retain their special meaning if you manually create a folder with the same name instead using the "Add ASP.NET Folder" feature in Visual Studio?
My restricted files are all stored in ~/Secured folder on the root. Authorized users have no trouble accessing aspx files in that folder. Recently I added a part of an application whose files I wanted to keep separate and created a ~/Secured/HR folder. I am getting a "resource not found" error trying to use any aspx file in HR folder even after user successfully logs in, as if the file does not exist at all. Here is my web.config security settings:
Do I need to configure security for that folder separately?
I have 32-bit XP with SQL Server 2005 Express and VS 2008. I have successfully added the Adventureworks DB to my VS website and I can see it from SOlution Explorer, however, the entire DB is attached. How would I only attach a few of the tables and stored procedures from this DB?
An associate wants to store an Access database in the App_Data folder of a website that lives on a local server and write new data to it daily from Microsoft Access on a client computer on the local network.Internet users will access the Access data from the website.
Is it possibe to write to an Access database in the App_Data folder of a website that lives on a local server using Microsoft Access? And also connect and read with ASP.Net?The internet connection is "Read Only".
I'm new to .NET and while starting to learn ASP .NET MVC2 framework I see that you can create a .mdf file inside the App_Data folder and connect to it or you can connect to a SQL Server.What is the difference between these to methods of interacting with a database? What are the advantages/disadvantages of one over the other?
I have web application project and i want to edit aspnetdb Database, but id does not appear in App_Data folder.I even cant see web.config file for subfolerds. When i create web site project in vs, i can see the aspnetdb Database.Vs Version : 2008