So here's my situation. We have a web app that handles case management. For each case, there are typically several PDF documents. My company previously stored these documents in a standard filing cabinet. This made things a headache when we had to look up a case as we'd go to the web app, find the case information, then go to the filing cabinet. I want to develop a method so that users can upload the documents via the web app and link them together, so that when you find it on the web app you can just click a link to get the associated files.

On the web app, we utilize forms authentication. For each ASPX page, I check for the cookie and if one exists they're good to go. Otherwise, they're redirected to the login page.

However, I've now hit a roadblock. I was planning on just uploading the PDFs to the server and create a column in the Cases table that would return the link to the document on the file server. The issue then, is if the user isn't logged in (or they've left the company) and they just copy and paste the link into the address bar and BAM they now have access to that case's file information. This cannot happen.

The other solution is just storing the files in SQL Server 2008 R2. However, I've read a lot of information about performance issues, etc. So, I'm not entirely sure if that's the best solution. Currently it's the only one.

If anyone has some thoughts as to how else I could handle this scenario, I would greatly appreciate any and all feedback.

Thanks, Andrew

You are really dealing with two different issues here: storage system for the documents and security for the documents.

In terms of storage location, you can store them directly in the file system or store them using SQL 2008's FileStream feature.

In terms of securing them, I would go with something similar to what FreudianSlip suggested. Have a page where you pass it the document name (or some other key, such as the ID if storing it in SQL Server), and have that page verify the user's authorization, read the file, and push it back in the response stream.

No matter what, I would recommend updating your web.config to use actual Forms Authentication and authorization so you don't need to explicitly check the cookie each time. It will be handled by the asp.net platform.

You could, instead of making the link a direct link to the pdf document, make it to a script that validates any needed credentials, then if all is good, feeds the file.

http://link.to.pdf/servePDF.asp?docname=mycasedoc.pdf

servePDF.asp validates any sessions/cookies and if all is ok pushes the doc.

something like this.

using System.Net;

string pdfPath = Server.MapPath("~/SomePDFFile.pdf");
WebClient client = new WebClient();
Byte[] buffer = client.DownloadData(pdfPath);
Response.ContentType = "application/pdf";
Response.AddHeader("content-length", buffer.Length.ToString());
Response.BinaryWrite(buffer);

this option would allow you to completely obfuscate the true location of the file.

You can use the Global.asax Application_AuthenticateRequest event and write custom logic based on a static folder (like /assets/) and do your custom validation there.

Likewise, you can also register a HTTP Module and do the same thing. http://support.microsoft.com/kb/307996

You could also implement a HTTP Handeler to accept requests to a given path and then doing some validation and return the file contents like Jeff Turner suggested.

See http://support.microsoft.com/kb/308001

I would suggest keeping the PDFs in their separate directory. Then build an additional web.config file in that same directory to specify form authentication access. For example:

<system.web>
    <authorization>
        <allow users="Foo"/>
        <deny users="*"/>
    </authorization>
</system.web>