I am implementing a javascript file upload functionality in my MVC 3 application and therefore I need to use Http Handler (.ashx) to allow large file upload. Now I need to somehow forbid unauthenticated users to call handler's methods. If I had a controller, I would simply apply [Authorize] attibute to it. But does the attribute work when applied to an Http Handler's method? IF not, how can I allow only people that have a current session cookie to make calls to Http Handler?
Asked
Active
Viewed 2,122 times
1 Answers
5
You could use the <location> section in your web.config to deny access to ~/upload.ashx to anonymous users:
<location path="upload.ashx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Remark: never use the <location> tag to control authorization with ASP.NET MVC controller actions and routes. Use the built-in [Authorize] attribute to decorate the corresponding controller/action.
Darin Dimitrov
- 1,023,142
- 271
- 3,287
- 2,928