asp.net: prevent files from bots

Application uses开发者_开发百科 Forms authentication and has folders with excel files. Need to prevent unauthorized, automated scripts or bots from accessing these folders. What would be best option to prevent this?

1. Have the authorization node of the lockElementsattribute value set in the Web.config file.
2. Have a element added to the element in the Web.config file. 3 Use (CAPTCHA) image control on each page of the application. 4 Use Robots.txt file implemented in the root directory of the application.
3. Have the Excel files mapped to the ASP.NET ISAPI filter. Or are there better options? Httmodules?

You could protect the excel files by writing a custom httpmodule and validating that they are authed via the forms auth before giving them access to the file.

In addition I would use the robots.txt file as well to exclude them. Those that follow the rules will stop looking at that point. The rest will be taken care of with the custom httpmodule.

The most secure solution would be to store your files outside of the web-tree and then serve them up via a HttpHandler. The simplest handler to create in ASP.NET would be an .ashx Handler as outlined in this blog post.

<a href="/ExcelHandler.ashx?file=myfile.xsl">Download File</a>

Your handler would then check the user request to ensure the user is authenticated and then stream the file back. In simplified pseudo-C# code this would be something like:

public void ProcessRequest(HttpContext context)
{
  string file = context.Request["file"];
  if (user.IsAuthenticated())
  {
     OutputFile(file, context)
  }
}

private void OutputFile(string file, HttpContext context)
{
   string fileContent = LoadFileFromSecureDirectory(file);
   Response.Output(fileContent);
}

Map the Excel files to the ASP.NET ISAPI filter and add a <deny> element to the <authorization> element in web.config,