Creating a protected link

Is there a way to create a protected download link which is random, expiry, requires a password and pointing to a specific file in C# that is associated with IIS 7.0?

Several random links can link to 开发者_如何转开发the same file.

Built-in codes or perhaps 3rd party libraries?

For example, http://www.example.com/<some random gibberish>/<md5 of file>/file.jpg

One way to do this would be to use GUIDs. GUIDs are designed not to collide, and that design also leads to a difficulty in guessing valid GUIDs. I'm sure someone out there will tell me that this is not very secure! Well, you are also protecting with a password. It is pretty easy to generate a GUID in C#.

I guess what you need is firstly a way of ingesting the files that you want to protect in this way, and secondly a handler that will respond to requests in a given path and inspect the GUID in the path to determine if it's valid.

You'd then need a database back end to maintain lists of GUIDs corresponding to URLs, the password (preferably crypted) and the expiry date. The handler would inspect the entry for the requested URL/GUID to see if the link has expired, then prompt the user (could do this via a web form easily enough) for the password and check this against the crypted password stored in the database.

To generate a GUID, you want:

System.Guid.NewGuid().ToString()

To create a module that is called before every request (for IIS7) you can add an entry to your web.config like so:

<modules>
  <add name="MyDownloadModule" type="Example.MyDownloadModule, Example"/>
</modules>

where MyDownloadModule is the class containing your handler, in the namespace Example.

Inside that class you then need to implement the IHttpModule interface, in particular overriding the methods:

public string ModuleName { 
    get { return "MyDownloadModule"; }
}

public void Init(HttpApplication app) {
    // Add an event handle which is called at the beginning of each request
    app.BeginRequest += new EventHandler(this.AppBeginRequest);
}

//
// Our event handler for the BeginRequest event
//
private void AppBeginRequest(Object source, EventArgs e)
{
    HttpRequest request = app.Context.Request;

    //
    // Is this a file download?
    //
    if (request.AppRelativeCurrentExecutionFilePath == "~/downloads") // or whatever
    {
          // this is where you work your GUID inspecting magic
    }
}

Going about it this way means this will be called for every request to the server, which may not be what you want.

You could always create your own HttpHandler, and then implement your own proprietary expiration/validation code.

Something like:

http://www.example.com/download?token={your_token}

It would then be a trivial matter to have the handler intercept the request and grab the file from disk, and deliver it to the client if the ?token querystring value is correct.

For more information on the IHttpHandler interface, see MSDN http://msdn.microsoft.com/en-us/library/system.web.ihttphandler.aspx