how to stop user not get files if not login

i am developing website there some files which are placed in folder and also provided the links of those files for user so that they can download those files, i am just allowing authenticated user not all but as if there is any user who know the link of file directly put it in address bar and get that file, can anyone tell me that how i can make sure that the file downloa开发者_Python百科ded only by the authenticated user not all users.

If you have all your files in one folder then you only need to place web.config file in this folder with following content:

<configuration>
    <system.web>
        <authorization>
            //disallow anonymous users
            <deny users="?"/>
        </authorization>
    </system.web>
</configuration>

You can find more detials here.

You don't want to provide links to the actual files. Your best bet is to store the files in a non-web accessible location, or set permissions on the folder so that it is only accessible to your application, not anonymous users.

You can maintain a list of user specific files in a user_files table in your database, and then link to a download script which defines the filename as a variable, and delivers the user file as an octet stream.

string _fileName;

string _path = /*some user specific path*/ + "FileDir/" + name;

System.IO.FileInfo _file = new System.IO.FileInfo(_path);

if (_file.Exists)

{
    Response.Clear();
    Response.AddHeader("Content-Disposition", "attachment; filename=" + _file.Name);
    Response.AddHeader("Content-Length", _file.Length.ToString());
    Response.ContentType = "application/octet-stream";
    Response.WriteFile(_file.FullName);
    Response.End();
}

You should not show direct link to the file, you shoud create something like proxy(i suppose http handler good fit for that). In handler you shoud check that user authentificated(probably check some value from the session), if so than return file, otherwise return not found or something else.
So urls for all files will looks like this:

http://localhost/filesHandler.ashx?file=pathToFile

One solution: do not put a link directly to that file in your site and don't put those files where a visitor could guess the location.

Instead use a link like "download.aspx?file=filename". Then in that download.aspx you can verify the user and Response.WriteFile that file.

(a Download.ashx would also work)

If you're using asp.net roles and authentication then you can do something like this in your web config...

<location path="Admin">
  <system.web>
    <authorization>
      <allow roles="Administrator" />
      <deny users="?" />
    </authorization>
  </system.web>
</location>

Just, you need to check login user is authenticate user on file download Page_Load event page. if it is authenticate then allow access to user to download the file else not.