There is an ASP.NET application www.example.com/APP. From within the application several documents - for example office documents DOCX, PDF, etc. - can be opend. They are accessed via some virtual directory as in www.example.com/APP/VIRTUAL/letter.pdf.
Of course, the documents may only be accessed from within the application, after the user has been identified succssfully. Some documents may only be opened by some privileged users. It should be impossible to open letter.pdf by simply entering the above url into a browser
I am thinking about the following...
The name of the virtual directory is kept secret.
After the user has successfully logged into the application, some secret is created. The secret contains the user's ID and some time information (valid from / until).
Then, if a document is to be referenced from within the application, the url /letter.pdf">www.example.com/APP/<secret>/letter.pdf is referenced.
In IIS the secret is checked. For this, some of my code is called, when serving a request. If successfull, the url is rewritten as www.example.com/APP/VIRTUAL/letter.pdf.
I tried several components, such as the IIS URL Rewrite, IHttpModule, IHttpHandler. Unfortunately, I did not yet succeed.
What is the prefered way for protecting the documents? Is the above idea any good? Can it be done? How?
Or is there some easier way that I fail to see?
View Complete Post