How do you lock down & secure files stored on server in ASP.NET?

Posted by Jon on Stack Overflow See other posts from Stack Overflow or by Jon
Published on 2010-04-23T19:37:12Z Indexed on 2010/04/23 20:03 UTC
Read the original article Hit count: 231

Filed under:

How do I go about securing files that are stored on the server? We have an ASP.NET app which generates PDFs. These are not stored in the wwwroot folder but in another folder i.e. C:\inetpub\data. This provides more security but maybe not enough. The ASP.NET/IIS process will need write access to this folder so it generate the PDFs there.

Once the pdf is generated, it can be viewed using an ASP.NET form called viewpdf.aspx with the file to be viewed add to the query string like so viewpdf.aspx?FILE=mynewfile.pdf. This is loaded from a gridview.

The full path to C:\inetpub\data is resolved and loaded in the Page_load event of the viewer page. Now I'm wondering how to secure this. Anybody could just view the file. Not by entering in the URL, as it won't been seen by IIS (its not in wwwroot), but could change the querystring in the viewpdf page.

How do I stop anybody hacking this?

© Stack Overflow or respective owner

Related posts about ASP.NET