I have an Internet website running on IIS/Windows configured as follows: - The w

Question

I have an Internet website running on IIS/Windows configured as follows:

- The website is publicly accessible for visitors to browse.
- A user can login and upload files.
- The user will be able to see their files, but not another user's files.
- After the files are uploaded they are stored in a directory in the website.

If someone has the full Url to the file e.g. http://website.com/files/13212132.jpg how can I prevent the file from being accessed by people other then the user who uploaded the file?

Any insights will be appreciated.

Explanation / Answer

The best way is to not serve the files directly at all, but serve them via a handler. This way you can store the files wherever you like, (which has advantages of its own, and not just security advantages) and the handler can process both authentication and authorization checks before making the decision as to whether it should present the file to the user or not.   

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.