RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Protect Your Downloadable Files Using HTTP Handlers : Page 2

This article attacks a problem for which I have heard many solutions: How can you offer file downloads on the Internet and protect them from unauthorized downloading?

IIS and Forms Authentication
As I specified earlier, IIS sends registered extensions to the aspnet_isapi.dll. Figure 1 shows you the IIS window where the list of registered extensions is found. You can find this dialog box by clicking on "Configuration" after viewing the "Properties" of a Web site or a virtual directory. A fortunate by-product of having registered extensions handled by aspnet_isapi.dll is that any files with these extensions are subject to ASP.NET Forms Authentication. While this article is not meant to be a tutorial on Forms Authentication, I'll demonstrate quickly how it works.

Custom HTTP handlers are classes that implement the IHttpHandler interface.
Forms Authentication allows you to secure Web pages against unauthorized access by anonymous users. The web.config file uses the following code to set up Forms Authentication:

   <authentication mode="Forms">
   <forms loginUrl="Login.aspx"/>
   <deny users="?"/>
This code prohibits users from accessing any page in a site without first going through an authentication process. If an anonymous user attempts to access a Web page, the code automatically redirects them to the Login.aspx page. It's up to the site developer to decide which authentication technique to use in this page, but in ASP.NET 2.0 a developer can easily accomplish this using the new security controls. (See Wei Meng Lee's article on the Security Controls).

Now, I just said that this code prohibits unauthenticated users from accessing any page, but what I really should have said is that it prevents unauthenticated users from accessing any file that gets intercepted by aspnet_isapi.dll. This will all make sense in a few paragraphs.

To walk through what I want to accomplish in the rest of this article, I need to describe some specifics of my e-commerce site that I'll be using.

My Plan for Protection
My site allows users to purchase software online. Users need to first register on my site before they can make any purchases or downloads. For the purposes of this article, I have a table for Users and a table for Products, each entity identified by a User Name and a Product ID. When a user makes a purchase, I create a record in another table that joins the user to that product using these fields. I'll call this table UserProducts.

The goal is to store all my software product files in a folder called Files, which resides under my Web site root folder. The Products table has a field for the product file name which corresponds to one of the zip files in my Files folder. I'll call this field ProductFileName.

So without any protection, I can simply accept a user purchase, and then send the user a link via e-mail to the zip file where they can download it; but that isn't secure at all, so I'll take it step-by-step.

Securing All Zip Files
First I want to protect all zip files from unauthenticated users. I want to subject all files ending with the extension ".zip" to ASP.NET Forms Authentication so that anonymous users cannot access them. Although this step is not crucial, it adds more security on your files—which is not a bad thing.

Usually if you browse directly to a zip file on a Web site, the site prompts you to either open or save the file to your disk. I want ASP.NET to intercept a request to add files ending in a "zip" extension, so I need to add that extension to the list of application mappings in IIS.

I start by opening up the IIS management console and locating the site (or virtual directory) in question. Right-clicking and selecting "Properties" displays Figure 2. If I click the "Configuration" button in the "Web Site" or "Virtual Directory" tab, I see the list of extensions and which DLL has been assigned to handle them (Figure 1). I need to add the "zip" extension to this list so I click the "Add" button. Enter "zip" in the extension text box and click the "Limit to verb" option button.
Figure 2: Web site (virtual directory) properties.
Figure 3: Browsing to aspnet_isapi.dll.
In the Verbs text box, enter GET,HEAD,POST,DEBUG which indicates that "zip" files will be intercepted by aspnet_isapi.dll for those types of HTTP requests. In the "Executable:" text box you need to browse to the location of the aspnet_isapi.dll file (Figure 3). You'll find this file in the C:\WINDOWS\Microsoft.NET\Framework\ folder under the proper framework version folder. My entry will look like Figure 4.

Figure 4: Adding the "zip" extension mapping to IIS.
Figure 5: Mappings with zip extension at the end.
After I make this entry, my mappings list looks like Figure 5. Note all the other extensions in this list to which you normally would not browse, such as VBPROJ, CONFIG, etc. The aspnet_isapi.dll intercepts these extensions for protection purposes also. This is the reason you are redirected to a "denial" page when you attempt to browse to a web.config file.

After I've made this entry in IIS, if I try to directly browse to a zip file on my site IIS will redirect me to the Login page if I'm not authenticated. These changes now protect my files from anonymous users; however, once you login to my site, the doors are open and I still don't want this.

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date