How to protect files and directories?

[HansMerkl]

Hi,

I would like to protect some directories and files from outside viewing while still allowing my ASP.NET to access them.

I have seen WebShell lets you protect certain files but I am not sure how secure this is.

Any advice?

Hans

 

[Stephen]

Hans,

Webshell is the way to go.

 

[HansMerkl]

Hans,

Webshell is the way to go.

If I protect a file via Webshell, how secure is this?

Hans

 

[Stephen]

Unless you use the username and password it can't be accessed. It is pretty secure overall. It islike .htaccess password protection on apache.

 

[jonyah]

the safest way is to put the file outside of the web accessible root (ie the root of your ftp, not the directory of your site). Then you can use code to pass that file on to your users after checking security.

or you can also store the file as a blob in SQL and stream it from there.

 

[HansMerkl]

the safest way is to put the file outside of the web accessible root (ie the root of your ftp, not the directory of your site). Then you can use code to pass that file on to your users after checking security.

or you can also store the file as a blob in SQL and stream it from there.

Storing the files outside of the web should work but it seems a bit inelegant. I like the way FrontPage creates a _private folder that's not accessible from the outside.

In the meantime I have protected some files to see how that goes. Is there any way to find out which files are protected? The file manager doesn't show anything.

Hans

 

[Stephen]

Didn't you choose which files/folders you wanted to protect?

 

[HansMerkl]

Yes. I did. But after 15 files I start to lose track. Must be my age . So is there a way to find out?

Didn't you choose which files/folders you wanted to protect?

 

[antic]

It may be wiser to just protect one folder and then put all private files in there.

 

[HansMerkl]

It may be wiser to just protect one folder and then put all private files in there.

I have tried that but when my ASP.NET wanted to access the files in that folder a login box popped up. How do I give ASP.NET access to that folder?

 

[antic]

I have tried that but when my ASP.NET wanted to access the files in that folder a login box popped up. How do I give ASP.NET access to that folder?

Yeah I've had that problem too.

Personally I tend to take the approach of putting secure files in a folder outside the web root. That is, on the same level as your domain folder. I usually call it something like <yourdomain>.com.data (ie. same name but with ".data" on the end). This is usually where I put Access databases as well.

It just means you have to use code to write the file from the secure folder to the output stream of the browser, which takes a good knowledge of ASP.

 

[HansMerkl]

Storing files outside the root folder seems to be the way to go.

But protecting a file/folder against outside access while giving ASP.NET access seems such a basic requirement that it's hard to believe there is no better way.

Yeah I've had that problem too.

Personally I tend to take the approach of putting secure files in a folder outside the web root. That is, on the same level as your domain folder. I usually call it something like <yourdomain>.com.data (ie. same name but with ".data" on the end). This is usually where I put Access databases as well.

It just means you have to use code to write the file from the secure folder to the output stream of the browser, which takes a good knowledge of ASP.

 

[antic]

Well in my mind that is actually the best way.