Question

1

Hello StackOverflow brain trust,

I currently have an ASP.NET 3.5 SP1 running on IIS 7. I have enabled forms authentication using .NET Membership and setup some folders that are restricted according to roles I have created. For instance, if an anonymous visitor tries to access the file h t t p://www.mydomain.com/restricted/foo.txt, he/she will be redirected to a login page, as expected. So far so good.

What I would like to do is provide access to protected files by allowing visitors to specify their login credentials in a query string, something alone the lines of:

http://www.mydomain.com/foo.txt?user=username&pass=pwd

Is this possible at all? Any insights are greatly appreciated!

Victor

flag	asked Jul 22 at 17:13 Victor

Joel Martinez · Answer 1 · 2009-07-22 17:15:28Z

0

you should be able to write an http module that intercepts the request and authenticates the user based on the querystring. However, just for the sake of completeness, I'd like to question whether it's a good idea to provide users their username and (in particular) password in plaintext.

answered Jul 22 at 17:15

Joel Martinez
7,030●7●29

Thanks for the quick answer, Joel. I've never written an http module before, but I will pursue that route and let you know how it works! – Victor Jul 22 at 17:21

Incidentally, I figured someone would raise the question of security :-) I don't really intend to share this functionality with most users of the site. The goal is to simply allow a widget on my site to access the file (it takes a URL as input), and the user role I'm specifying for this widget is very restrictive, so no crucial data is exposed. I figured this would at least provide some degree of security to the files used by the widget, though I admit that it certainly isn't foolproof. – Victor Jul 22 at 17:22

Dan · Answer 2 · 2009-07-22 17:17:04Z

0

You could easily create a download page that would authenticate the user and then forward them to the requested file. Something like navigating to Download.aspx?user=username&pass=pwd&file=foo.txt.

This however is NOT recommended. You should never require users to pass login information via a URL.

answered Jul 22 at 17:17

Dan
1,877●1●12

Appreciate the feedback, Dan! See my comment above regarding security. My real dilemma is that I need to pass a URL that my widget can access (it would be ideal to pass a local path, but since it's a 3rd party widget, it has to be a web url). – Victor Jul 22 at 17:26

Joel Martinez · Answer 3 · 2009-07-22 17:46:10Z

A secondary answer based on comments you've made to other questions is that you could simply put your download page in a directory. The subfolder could have a web.config that allows unauthenticated users access to the contents within :-)

something like:

<configuration>
   <system.web>
      <authorization>
         <allow users="*" />
      </authorization>
   </system.web>
</configuration>

ASP.NET Forms Authentication via Querystring

3 Answers

Your Answer

Not the answer you're looking for? Browse other questions tagged asp.net membership querystring or ask your own question.

Hello World!

Related