There could
be many ways of validating users before allowing them to download the files. In
some applications, you can put direct URL of files into browser and can get
downloaded from there directly. It is because that application don't have user
validations on file downloads.
Users role
can be also validated for downloads. The simplest way is to apply the asp.net
membership. This authenticate each users. We have a “deny users='?'” options
which is placed inside Authorization tag of web.config file. We can have many
web.config files in one application and maximum 1 web.config file inside each
folder. So we can keep our all downloadable files into a folder and there we
need to place web.config file. In that web.config file we have to deny the
access to anonymous users. So steps are as –
1) Put all downloadable files into a
folder.
2) Put a web.config file into this
folder.
a. Put ‘deny users=”?”' inside
Authorization tag of this web.config file. This will stop anonymous user
access.
3) Apply asp.net membership to
authenticate users. Even if someone known the direct URL, it will not allow as
authentication is check with help of asp.net membership.
Isn't it
simple? Even we can allow file downloads on role basis. We have another
web.config attribute “deny roles='weGiveUserRoleHere'” that deny to specific
roles for downloading. Rather than denying to roles, we can set roles for “allow”.
4) <allow roles=”myAllowedRoles” /> or we can put <deny roles=”myDeniedRoles”
/>
Thus, we
can stop anonymous download, deny to other logged-in users and can allow to
specific role based users for downloads.