How do I implement a secure upload/download area?

I've been asked to create a solution where people log in and are able to upload and download off of our work server. So John uploads a photo, and Jen can download it, for example. They also have to authenticate themselves.

Can someone give me a rough overview开发者_运维技巧 of how to implement this? I'm familiar enough with MySQL, C#, and JavaScript.

The rough overview

This should just be a matter of planning out the pieces.

1. at the very top of the page, put some code that checks if a user is logged in. If not, show a login form (or redirect to...). If they are logged in, show the rest of the page. If not, you'll need some logic to show a form, and then check it once it's submitted for authentication, and set a SESSION cookie or something similar.
2. Once the user is logged in, on the homepage, you might have an file-upload form and a listing of existing files. How you would style would depend on how many files you might expect to have. To keep things extremely simple, you could simple iterate through whatever files are in the upload directory. If you expect many more files than that, you may consider using a db.
3. Handle a file upload by sanitizing filenames (checking for filetype/filesize if you want to limit those) and putting the file into the directory.
4. Force the users to download the files (instead of having the browser decide what to do with them) for security purposes. Implementing this on certain filetypes may also be acceptable.

Other thoughts

You probably would not want the users to be able to excecute any files, so keeping the file directory hidden would be a good idea.

Keeping track of who uploaded and downloaded what is also doable, but would add another layer of complication to the script.