Protecting files on the server.

[UJ]

Folks,
We provide custom content for our customers. Currently we put the files on
our server and people have a program we provide that will download the
files. These files are usually SWF, HTML or JPG files. The problem as I see
it - if you know the name of the file, you could download it off the server
(currently we are using an HTTP/Get but I'm going to be using WebClient in
the new version.)

If there any way to password protect the file so people can't just download
them even if they know the file name?

The solutions I've come up with are:

1. Store the file in the database as a blob and read it (but this could get
slow as we will eventually add video which could get really big - up to
100MB).

2. Write a web service that will transfer the file back that has a password
on it.

Any other suggestions?

TIA - Jeff

 

[Eliyahu Goldin]

Jeff,

Another solution is to have the users authenticated in the program and have
the files sitting in a local directory that the program will be the only way
of getting to the files from outside.

Eliyahu

 

[UJ]

Eliyahu,
I'm not sure I understand you. That is essentilly what we already do. The
problem is when the program goes out to our server to get the file, the
files are unprotected on our server. I guess the question becomes how should
I protect the files on the server so the program and only the program can
access them.

Jeff.

 

[S. Justin Gengo]

Jeff,

You could turn off anonymous access on the website and use only integrated
security. Integrated security uses encrypted user names and passwords. Then
create a username and password for your application to use when it makes the
webrequest for a file in question. You can create a Credential object that
the webrequest may use in order to authenticate to the website.

--
Sincerely,

S. Justin Gengo, MCP
Web Developer / Programmer

www.aboutfortunate.com

"Out of chaos comes order."
Nietzsche

 

[Eliyahu Goldin]

Does your program on server in asp.net? If it does, are the files on a
separate server?

Eliyahu

 

[UJ]

The files are all on the same server as my ASP.Net application.

 

[Eliyahu Goldin]

Why do you say the files are unprotected? If you keep them just in a local
directory, not mapped as a virtual one and not a sub-directory of your site,
no one can get to them from the web.

Eliyahu

 

[UJ]

I guess that's the problem. At the moment if you go to
www.fred.com/files/file1234.swf it will bring up the file. What I'm looking
to do instead is have the program ask the server for a file somehow - but
I'm looking for suggestions on how to do that. I would assume it would be a
web service that the program calls. But what's the easiest way to transfer
the file. Currently I'm using WebClient.

TIA - Jeff.

 

[Eliyahu Goldin]

Sorry for making the same point again and again. Do you have a particular
requirement for keeping files in a subdirectory of your site or a virtual
directory?

Eliyahu

 

[UJ]

Eliyahu,
First thanks for attempting to help me on this. Let me start over and
explain what I'm trying to accomplish and that may help.

I am working on a system where we display content my company creates. The
end user has a machine we provide them. Currently we generate a list of
files that then get downloaded to the machine via an HTTP Get command (both
the list of files plus the actual files to be downloaded). The files are in
a virtual directory on our server which you can connect to directly through
a browser interface (the original version of the software, which I didn't
write, went the net directly every time but if your net connection was down
nothing would display.) So currently the program(s) get the list of files it
needs to download, then it goes out through an unsecured (although it is
SSL) connection to a virtual directory on our server.

My problem is, and maybe I'm making too much of this is if you know the
directory name on the machine, you can pretty quickly figure out our naming
convention and then just start grabbing the files yourself. This of course
is not what we want. We want people to pay for our service.

So my thought was trying to do something to protect the files on the server.
I realize I could make them not in a virtual directory and write a Web
Service that would transfer the files but that seems cumbersome. If that's
the best way to do it, I'm OK with it. The problem could be though that the
files we transfer at the moment are small (< 1MB) but could in the future
get huge (we are talking about doing video.) So I'm looking for a solution
that can handle those files.

Currently I'm using WebClient which doesn't appear to have any security on
it.

Hope this is clear.

Thanks again for your help.

Jeff.

 

[Eliyahu Goldin]

Jeff,

I would recommend keeping the files in a server's local directory, not on a
virtual one, and providing an asp.net page that would serve download
requests. Instead of using http Get command, make calls to
GetFiles.aspx?action=list for the list of files and
GetFiles.aspx?action=file&name=file1234.swf . GetFiles.aspx would get the
files from the local directory and stream them down to the clients. You
don't need any webservice for that.

Eliyahu

 

[UJ]

Eliyahu,

Thanks for the info but I'm not sure how the page would return the file. Do
you mean have GetFiles.aspx would just load the file? What would I do on the
client end - a WebClient request with that as the URL?

Jeff.

 

[Eliyahu Goldin]

Any control that refers to an url can refer to
GetFiles.aspx?action=file&name=file1234.swf
Like <a href="GetFiles.aspx?action=file&name=file1234.swf" ...
or
<img src=GetFiles.aspx?action=file&name=file1234.gif...
The server code should take care of streaming the file with correct MIME
type.

Eliyahu

 

[UJ]

Great! I'll give it a try.

Thanks again for your help.

Jeff.

 

[UJ]

Ok Eliyahu. Aparently I'm an Idiot. How do I download the file in the
GetFiles.aspx page? I tried a server.transfer and it didn't display
correctly (of course I tried it just in the browser not calling it from
another piece of code.)

Any suggestions?

Jeff. (You humble servant....)

 

[UJ]

Eliyahu,
Thanks anyway. I got it to work!

Jeff.

Ok Eliyahu. Aparently I'm an Idiot. How do I download the file in the
GetFiles.aspx page? I tried a server.transfer and it didn't display
correctly (of course I tried it just in the browser not calling it from
another piece of code.)

Any suggestions?

Jeff. (You humble servant....)

 

[UJ]

Eliyahu,
I spoke to fast. When I tried it I was pointing to a file in a virtual
directory. How to I getfiles.aspx return the file? I tried server.transfer
and that didn't work.

Thanks again.

Jeff.

 

[Eliyahu Goldin]

Jeff,

In this example I get a picture from a database and send it down to the
client.

protected void Page_Load(object sender, System.EventArgs e)
{
// get image type and id
int imageType = System.Convert.ToInt32
(this.Request.Params["type"]);
string imageId = this.Request.Params["id"];

string sql; // query to get image field
System.Data.SqlTypes.SqlBinary image; // image from database

// make query to get image
switch (imageType)
{
case 1: // patient photo
sql = String.Format ("SELECT patient_photo FROM
dem_patient WHERE patient_id = {0}", imageId);
break;
default:
sql = String.Empty;
break;
}

if (sql != String.Empty)
{
// get image from database
MMI.DataAccess.DbAccess dba = new MMI.DataAccess.DbAccess
();
try
{
System.Data.SqlClient.SqlDataReader reader =
dba.RunSelect (sql);
reader.Read ();
image = reader.GetSqlBinary(0);
reader.Close ();
}
finally
{
dba.Dispose ();
}

if (!image.IsNull)
{
// stream image down to client
this.Response.ContentType = "image/gif";
this.Response.BinaryWrite (image.Value);
}
}
}

Eliyahu

 

[UJ]

Eliyahu,
I got it to work - thanks!

Jeff.

Eliyahu,
I spoke to fast. When I tried it I was pointing to a file in a virtual
directory. How to I getfiles.aspx return the file? I tried server.transfer
and that didn't work.

Thanks again.

Jeff.