Require User to be Logged in to Download ZIP Files

Is it possible to require the user be authenticated (logged in) when downloading ZIP files from my site? Note that I don't have direct control of IIS7. (I'm on a shared hosting account.)

I can't simply alter the access for a particular directory because many directories are involved and most contain other files that can be accessed freely.

I've Googled this a bit and found similar questions. But I've been unable to find this exact question.

EDIT: This is specifically a programming question (even if the answer is that it can't be accomplished v开发者_如何学Goia programming). Also, it asks a very specific question. (Apparently, a couple of people were confused on these points.)

---

Why not use forms authentication? You could then simply check for a valid auth cookie.

---

In MVC, my solution was to create a controller to handle the downloads, and apply the [Authorize] attribute to that controller so, with a route like:

downloads/get/{filename}

and a controller action:

[Authorize]
[HttpGet]
public ActionResult Get(string fileName)
{
    // should pull this path from web.config or a database...
    string downloadFolder=@"c:\inetpub\virt\downloads\";

    // FileResult() renders the binary content of the specified file back to the browser.
    return(new FileResult(Server.MapPath(downloadFolder+fileName), " application/zip"));
}

If you're using webforms, there are a couple of different ways to handle it using either an ASPX or ASHX. But, they all come down to the same idea:

1. Parse the url to get the download file name.
2. Find and load the file contents from disk
3. Set the content-disposition header in the response to tell the browser what the filename should be
4. Response.BinaryWrite() the binary data back to the browser.

Here's an OLD example article using an ASHX.

This should fix your problem: since the requests are going through ASP, and not just direct to the ZIP or other files, the requests have to pass through whatever authentication system you're using. (Forms authentication works fine and does solve this problem.)

Update

Here's a nice link on MSDN that works in webforms.

---

Here's how I resolved this:

I created a custom HttpHandler for ZIP files. What's really cool with IIS7 is that you can map a file to your handler in the new <httpHandlers> section of the web.config file.

The HttpHandler object receives an HttpContext object, which includes User.Identity.IsAuthenticated already filled out for me. I simply pass along the requested file if the user is authenticated, or redirect them to my login page if not.

With older versions of IIS and ASP.NET, it would be necessary to tweak IIS to map ZIP files to ASP.NET. However, IIS and ASP.NET are merging somewhat, making tasks like this much easier.

---

I would suggest contacting your hosting provider. Many shared hosting providers give you access to your .htaccess file or some means of securing your site. This would be different from provider to provider.