Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Protecting PDFs with Forms Authentication?

Reply
Thread Tools

Protecting PDFs with Forms Authentication?

 
 
Mike Kingscott
Guest
Posts: n/a
 
      06-21-2004
Hi there,

I'm writing an app in which a punter buys some PDFs online. After
purchasing said PDFs, they will be given a token (bless them Guids) to
go to a download .ASPX page from which they can download the PDFs.

I'm planning to use Forms Authentication to protect the .ASPX page
which gives them the list of PDFs they can download (driven by the
token, which will be their order number or similar). The page will
also only allow 10 loads and the list of PDFs will only be available
for 24 hours to cut down on other people obtaining the PDFs.

And there's the rub: for the PDFs to be downloaded from the site, they
have to exist in the site. And if that's the case, what's to prevent
people figuring out (right-click, view properties of the hyperlink)
the URL of the PDF and going directly to the PDFs? I was hoping that
Forms Authentication would protect all files in a folder, but it
appears not to do so - I directly download a PDF file in a folder
protected by Forms Authentication, guess it only works for .aspx
files?

So, does anyone have any suggestions? I did think about creating a
separate folder for each order (i.e. each Guid), and then copying the
PDFs into that, but the files are quite large, and then a job on the
server would have to run each day to wipe old folders, etc.

Yours in hope,

Mike Kingscott
 
Reply With Quote
 
 
 
 
Raterus
Guest
Posts: n/a
 
      06-21-2004
I believe all you need to do is to configure your IIS App Mappings under Home Directory/ Application Settings/ Configuration to route requests for .pdf's through aspnet_isapi.dll. Forms authentication should pick up on the requests then, and allow/deny them access accordingly.

--Michael

"Mike Kingscott" <(E-Mail Removed)9.co.uk> wrote in message news:(E-Mail Removed) m...
> Hi there,
>
> I'm writing an app in which a punter buys some PDFs online. After
> purchasing said PDFs, they will be given a token (bless them Guids) to
> go to a download .ASPX page from which they can download the PDFs.
>
> I'm planning to use Forms Authentication to protect the .ASPX page
> which gives them the list of PDFs they can download (driven by the
> token, which will be their order number or similar). The page will
> also only allow 10 loads and the list of PDFs will only be available
> for 24 hours to cut down on other people obtaining the PDFs.
>
> And there's the rub: for the PDFs to be downloaded from the site, they
> have to exist in the site. And if that's the case, what's to prevent
> people figuring out (right-click, view properties of the hyperlink)
> the URL of the PDF and going directly to the PDFs? I was hoping that
> Forms Authentication would protect all files in a folder, but it
> appears not to do so - I directly download a PDF file in a folder
> protected by Forms Authentication, guess it only works for .aspx
> files?
>
> So, does anyone have any suggestions? I did think about creating a
> separate folder for each order (i.e. each Guid), and then copying the
> PDFs into that, but the files are quite large, and then a job on the
> server would have to run each day to wipe old folders, etc.
>
> Yours in hope,
>
> Mike Kingscott

 
Reply With Quote
 
 
 
 
Patrice
Guest
Posts: n/a
 
      06-21-2004
They have not necessarily to be on the site. A web page could rread this
file from another locartion and stream its content to the browser (see the
Response.WriteFile method).

Patrice

--

"Mike Kingscott" <(E-Mail Removed)9.co.uk> a écrit dans le message de
news:(E-Mail Removed) m...
> Hi there,
>
> I'm writing an app in which a punter buys some PDFs online. After
> purchasing said PDFs, they will be given a token (bless them Guids) to
> go to a download .ASPX page from which they can download the PDFs.
>
> I'm planning to use Forms Authentication to protect the .ASPX page
> which gives them the list of PDFs they can download (driven by the
> token, which will be their order number or similar). The page will
> also only allow 10 loads and the list of PDFs will only be available
> for 24 hours to cut down on other people obtaining the PDFs.
>
> And there's the rub: for the PDFs to be downloaded from the site, they
> have to exist in the site. And if that's the case, what's to prevent
> people figuring out (right-click, view properties of the hyperlink)
> the URL of the PDF and going directly to the PDFs? I was hoping that
> Forms Authentication would protect all files in a folder, but it
> appears not to do so - I directly download a PDF file in a folder
> protected by Forms Authentication, guess it only works for .aspx
> files?
>
> So, does anyone have any suggestions? I did think about creating a
> separate folder for each order (i.e. each Guid), and then copying the
> PDFs into that, but the files are quite large, and then a job on the
> server would have to run each day to wipe old folders, etc.
>
> Yours in hope,
>
> Mike Kingscott



 
Reply With Quote
 
Mike Kingscott
Guest
Posts: n/a
 
      06-22-2004
Guys, thanks very much for the speedy response. At the moment, I've
gone for protecting the file via the aspnet_isapi.dll method, and it
works just dandy. As for using the Repsonse.WriteFile method, I may
have to try that as well, just for extra security, but I'm wondering
if it would work for a right-click Save As... command? Ah well,
something to play with when I have time

Thanks again,

Mike Kingscott
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting a default value in forms and protecting it hanseymoon@gmail.com Javascript 9 05-29-2012 08:36 AM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
protecting two different folders with forms authentication Adam ASP .Net 2 03-27-2005 02:12 AM
Re: Where to download latest TestKing PDFs? C_TESTORE Microsoft Certification 0 12-13-2004 03:00 AM
IP PBX Tutorials, whitepapers, pdfs learning site -- free access... ShaperShifter Cisco 0 06-07-2004 05:15 AM



Advertisments