Protecting large file download

SubSpace

Bass
I'd like to protect a large file download (20-100 MB) on my website (using ASP and currently moving to ASP.net), so only people that are logged in can actually download it.

With a reasonably small file this wouldn't be a problem, you can write a script that sends the file. However, for a large file the script would time out before the download is completed.

I know that in ASP.net it's fairly easy to protect files using a HttpModule that is able to refuse access when appropriate, but files that aren't processed by the ASP.net ASAPI filter are unaffected.

On a dedicated server you could just add this mapping for executables and/or archive formats and it would work, but H-Sphere doesn't currently have the option to add custom file extensions to ASP.net processing.

Is there any way I've overlooked to protect such a file from download by unregistered members? Sure I could make the URL invisible for people that aren't logged in, but that would still leave the possibility of registered users handing out the link to unregistered users.
 
doctorallia, if he says htaccess would your next question be ... either use that.. or you wont need it :D

but im not sure htaccess is able to be implimented in a way its dynamic.. as i take it .. that is what you are doing subspace?
 
form+cookie authentication..

I'm not going to use htaccess. It seems to have problems on Windows and JodoHost seems to uninstall it at will as a result, which can break things and/or expose sensitive content.
Also, it's just plain ugly, imo..

I may be able to think of something that uses HTTP authentication purely for the download though, it's not really a problem if other people get their hands on it, I just want to prevent random people from sucking up my bandwidth :p
 
Hey we don't uninstall it at will, but it seems that people end up protecting their domain root as well, most of the time, so we get tickets about them and remove it, unless there is a ticket like that we don't touch them.
 
OK, there were some stability problems with it before as I understand it, which is why it got uninstalled at some point. I was referring to that.
 
On a dedicated server you could just add this mapping for executables and/or archive formats and it would work, but H-Sphere doesn't currently have the option to add custom file extensions to ASP.net processing.

Are you sure about this? When I was doing some on-the-fly image manipulation, I had to ask them to add the graphic file types to the ASP.Net filter and they did it for me without any problem.
 
if it is an application you can just add an extra web.config file in the same folder as the download and just only allow logged in users.
 
on second thought, that may work but will probably cause some issues that i dont really know how to fix..

if you just use this in your regular web.config file

<location path="thefolderthatyourfileisin">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
 
Back
Top