问题描述
我们正在使用表单身份验证来对用户进行身份验证.在我们的应用程序中,有一个页面可以下载exe.
We are using forms authentication to authenticate users. In our application there is a page to download an exe.
当我在Visual Studio中调试代码时,它仅允许登录用户下载文件.当其他用户尝试下载文件时,他们会自动重定向到登录页面.
When I am debugging the code in visual studio, it allows only logged-in users to download the file. When other users try to download the file, they are automatically redirected to the login page.
但是,当我从虚拟目录运行此文件时,所有用户(无论是否已登录)都可以通过访问直接路径(例如 http://testappln/foldername/test.exe .
But when I am running this from a virtual directory, all users (whether logged-in or not) can download the file by accessing the direct path like
http://testappln/foldername/test.exe
.
在这种情况下如何防止未经授权的用户访问?
How to prevent accessing of unauthorized users in this situation?
推荐答案
一种可能性是将文件放入禁止直接访问的
App_Data
文件夹中,然后使用通用的ASHX处理程序进行读取文件的内容,并将其返回给客户端.然后,您可以只允许经过身份验证的用户访问此通用处理程序:
One possibility is to put the file inside the
App_Data
folder which is forbidden direct access to and then have a generic ASHX handler to read the contents of the file and return it to the client. Then you could restrict the access to this generic handler to only authenticated users:
<%@ WebHandler Language="C#" Class="Download" %>
using System;
using System.Web;
public class Download : IHttpHandler
{
public void ProcessRequest (HttpContext context)
{
context.Response.ContentType = "application/octet-stream";
context.Response.WriteFile("~/App_Data/test.exe");
}
public bool IsReusable
{
get
{
return false;
}
}
}
,并在您的web.config中,限制对
Download.ashx
处理程序的访问:
and in your web.config you restrict the access to the
Download.ashx
handler:
<location path="Download.ashx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
这篇关于如何防止匿名用户使用表单身份验证访问文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!