Re: Securing documents - SQL Server or FileSystem
From: Aaron Bertrand [MVP] (aaron_at_TRASHaspfaq.com)
Date: 04/01/04
- Previous message: Marlow: "Securing documents - SQL Server or FileSystem"
- In reply to: Marlow: "Securing documents - SQL Server or FileSystem"
- Next in thread: Aaron Bertrand [MVP]: "Re: Securing documents - SQL Server or FileSystem"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 31 Mar 2004 20:54:56 -0500
I'd go with #2. See http://www.aspfaq.com/2149 for pros and cons of the
options, and http://www.aspfaq.com/2276 for information about using
ADODB.Stream to present images that are not in the web folders.
-- Aaron Bertrand SQL Server MVP http://www.aspfaq.com/ "Marlow" <anonymous@discussions.microsoft.com> wrote in message news:0538D328-ABC3-4099-AFA1-07F79374B944@microsoft.com... >I am writing a .NET web application that provides secure access to > images and files. Basically files/images will be uploaded to the > website (storage method to be determined) by a given user and then > access to the file will be restriced to other specific users based > upon some permissions that are stored in join tables against the file > meta data records. > > Currently I am storing the files in the file system with a pointer to > the folder the files reside in. Each folder has a unique hashed name. > > The problem is that the files are all accessible to anyone if a user > is able to "guess" or otherwise determine the appropriate URL to > retrieve the file. Obviously this is not appropriate for information > that must be secure. > > To resolve this problem I have thought of two methods: > 1) Store the files in the SQL Database, and have an aspx page the > retrieves the files and checks certain security credentials and the > binarywrites the file to response, or > 2) Move the files out of the accessible web published folders, to > another area of the file system, then write a page that checks the > security credentials opens a filestream to the file and writes it into > the Response object (if this is even feasible?). > > There are potentially very large files to be uploaded and upwards of > 30,000 files. I am aware of the data paging in storing files larger > than 8K in SQL. Also there will be several different instances of the > application and database running for different clients but on the same > servers. > > Alot of the files will be images that are referenced through a > provided DHTML control, many of which will appear on a public website > and will be accessed very frequently. Which of the above methods would > provide (in your opinion of course!) the best combination of Security > and Performance? > > An example would be that a given file is available from a specific > online date, until a specific offline date. It must be such that after > that date the file can no longer be accessed even if the user has the > URL directly through to the specific file. (Currently the HTML content > that links to the files is taken offline, but not the files > themselves.) > > Any input appreciated, thanks in advance. >
- Previous message: Marlow: "Securing documents - SQL Server or FileSystem"
- In reply to: Marlow: "Securing documents - SQL Server or FileSystem"
- Next in thread: Aaron Bertrand [MVP]: "Re: Securing documents - SQL Server or FileSystem"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
