Forms Authentication is a great methodology to use, but it is limited in what files it secures.  The only files that are protected by Forms Authentication are those that are processed by aspnet_isapi.dll.  This is limited to file types like ASPX, ASCX, etc.  Your images and other documents are not protected!  Try it and see--navigate directly to an image or other file in your web application.  Bad news if you were counting on these files being protected.  All is not lost--there are a couple of methods you can use to protect these files.

If you want to restrict who can download what from your website, this first option (or a variant) is pretty much your only solution.  Store the files you want to outside of your website if you can, or put them in a folder that is secured with NTFS to <machinename>\ASPNET user (or whatever user the process is running under).  If you're in a shared host environment, you may need to communicate with your host to help you out.  In order to allow a download to occur, don't link directly to the file.  Instead, use a button, and in the onClick handler, pass the file to the browser by using the HTTPResponse.Writefile() method (it's in the SDK available from www.asp.net --look it up if you need to) or serialize the file and write it to a binary stream.

If you just need to keep unauthenticated users out of your files, but allow authenticated users, you have a simpler method available to you.  However, if you're in a shared environment, you will definately need to talk to your host about this one.  You can map other filetypes to the aspnet_isapi.dll in your IIS control panel.

1) right-click "My Computer", choose MANAGE.
2) drill down: Services and Applications >> Internet Information Services >> Websites.
3) If you are on a non-server edition of Windows, expand Default Website. Otherwise, skip this step.
4) Right-click on the application you need to re-map, choose "Properties".
5) Click the "Configration" button.
6) On the first tab, you'll see a list of file mappings. Highlight the listing for ASPX, click Edit, and copy the entire entry in the "Executable" box.  Make sure you copy the whole path for the DLL.
7) Click Cancel so you don't accidentally mess anything up.
8) From the list of mappings, click Add.  Paste the executable path in the box, enter the extension in its box(case doesn't matter, but the dot does).  Limit verbs to "GET, POST" and uncheck the other two boxes.  Click OK a few times and close your way out.

You probably don't have to stop and restart IIS, but it wouldn't hurt to do so.

 

Share this post: email it! | bookmark it! | digg it! | reddit! | kick it! | live it!