Secure Downloads in Shared hosting

[Dave Lambert]

Hi there, I have created a download website for members, all downloads are held in a folder and a user can access a specific download when he has paid for them, i then write a record into the database to say the user is entitled to download this item. I then wish when the user logs on, to display all downloads they have bought in a web page, via say a link to the download, how would I do this and stop people just typing in the name of the file directly into the address bar as they could then download the file for free. The site is on a shared server so I cannot change the IIS settings

Any help would be much appreciated as I am scratching my head and typing at the same time in puzzlement of how to accomplish this effectively!!

dave

[Wes Henderson]

Dave,

Here's the approach I took to a similar situation:

- I had the downloads in a folder not accessible to anonymous users (can you
modify permissions?)
- I processed the download requests programmatically (the code decided
whether or not they got the download)

The name of the file could be sent as part of the GET request (ie.
Download.aspx?file=filename.aaa), then the code could check the database to
see if they're clear for access.

Here are some C# code snippits that might help~

String filename = Request.Params["file"]; // stores "filename.aaa" in
filename

// Add your own code here to approve the file.
// If it's a public site, you probably want to make sure filename doesn't
// contain double periods, slashes, and whatnot. In fact, you might want
// to add an encryption/decryption routine just so people will have a
// hard time generating their own requests

// If approved for download then do this code
Response.AppendHeader("Content-Disposition", "attachment; filename=" +
filename);
Response.Flush();
Response.WriteFile("c:\\somefolder\\" + filename);
Response.End();


Hope this helps.

--
Regards,
Wes Henderson

In order to help everyone, please direct all replies to this newsgroup.
This posting is my personal effort to provide help and is not on behalf of
any company.
Also, this posting is provided "AS IS" with no expressed or implied
warranties.

"Dave Lambert" <anonymous@discussions.microsoft.com> wrote in message
news:21BA2AE0-C737-495E-B599-3E600E3B9177@microsoft.com...

> Hi there, I have created a download website for members, all downloads are

held in a folder and a user can access a specific download when he has paid
for them, i then write a record into the database to say the user is
entitled to download this item. I then wish when the user logs on, to
display all downloads they have bought in a web page, via say a link to the
download, how would I do this and stop people just typing in the name of the
file directly into the address bar as they could then download the file for
free. The site is on a shared server so I cannot change the IIS settings.

>
> Any help would be much appreciated as I am scratching my head and typing

at the same time in puzzlement of how to accomplish this effectively!!!

>
> dave