2

I am creating a recruitment site and have a folder called /CV/ where I am storing resume files uploaded by the member.

Lets say a user saves their resume and its called 123.pdf and is stored in cv/123.pdf. How can I prevent the pdf file from loading in the browser window or downloading to the users machine if they type in 'http://mydomain.com/cv/123.pdf'?

I am using forms Authentication, Asp.Net Membership and Roles Providers, Asp.net 4 on an IIS6 server.

Improve this question

3 Answers 3

Reset to default
4
  1. Create a folder that is outside of the hierarchy of the main www folder used by the site (so it cannot be directly accessed through url)
  2. Use an ashx handler to provide access to download the file. The logic within the ashx file can validate whether the user is authorized to download the file or not.

ASHX references: 1, 2, 3

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks very much. I ended up using the method of storing it in the App_Data folder and creating a handler to transmit the file. mikesdotnetting.com/Article/122/…
4

The best way would be to put the files somewhere else, and write some code to access them -- then that code can verify whether the caller has the necessary rights.

For instance, you may store files in your /uploads/xyz123/ directory. Then in order to download a file, say myresume.pdf, the user would have to surf to http://yourserver/download.aspx?file=myresume.pdf.

That page then does the necessary validations, loads the file and outputs it as a binary to the browser, like so:

Response.ClearContent();
Response.ClearHeaders();
Response.ContentType = "application/pdf";
Response.AddHeader("content-disposition", "attachment; filename=" + filename);
Response.AddHeader("content-length", binaryStream.Length.ToString);
Response.BinaryWrite(binaryStream.ToArray());
Response.Flush();
Response.End();

No user will ever find out where the files are actually stored.

Improve this answer

2 Comments

Typically the "somewhere else" is a folder that isn't web accessible, so if you're root website is in /inetpub/wwwroot/, you might have files in /inetpub/files, and then you write a handler that will serve up the file after doing the correct permissions check. Also, you could use the web.config to allow/deny access to a folder - but this is a broad brush User based authorization
@Roy - Yeah I had considered that method but was wondering if there was any way of doing it while keeping the folder within the application folder structure.
3

You can simple save the file in a directory that is not part of your web application.

If you want to store a file that should not be reached via http, do it this way.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.