how to prevent access to virtual directory without login to a website

Question

I have a directory contains some documents, i would like to allow access to files on this directory only if the user successfully logged in to a website. the login users and passwords managed by aspNet Membership tables and stored at the DB.

if the directory was sitting on the website is would be easy since it restricted by default but physical path of the directory is not inside the website and i prefer to leave it that way, since this directory can be access from another website

how to solve this? thanks

Answer 1

You should add the runAllManagedModulesForAllRequests attribute to the modules tag in your web.config like so:

<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
...
</system.webServer>

This will impose your dotnet security on all files like word documents and such. Then you can secure the folder using the location section in web.config like so:

<location path="SomeVirtualDirectory">
    <system.web>
        <authorization>
            <allow roles="admin" />
            <deny users="*" />
        </authorization>
    </system.web>
</location>

Answer 2

Its not possible to navigate outside of a website directory as it is outside scope of your website and no way depends on the website credentials.

Answer 3

The file directory doesn't have to be a physical subdirectory of your site. If you add it as a virtual directory inside your application, you can just set authentication appropriately.

Alternatively you can just issue something like this:

string filename = @"F:\SomeDirectory\Foo.txt";
Response.TransmitFile(filename);

Then you can just set authentication on this page, for example called DownloadFile.aspx.