Click here to Skip to main content
12,554,623 members (56,752 online)
Click here to Skip to main content
Add your own
alternative version

Tagged as


11 bookmarked

Stream Your Documents Using Simple Web Page

, 22 Jan 2014 CPOL
Rate this:
Please Sign up or sign in to vote.
Show stored document without revealing its original location...


The application I'm mostly working on gives access to students and teacher to their personal information inside their institute. Often the students use shared computers inside the campus which may lead to security/privacy problems. One of those problems is links to documents inside pages the student visited. As the links are stored with the page, it's clearly possible for others to see them too, while using the same computer/browser. I will give some resolution to this problem here...


In the mentioned environment, students have the ability to ask questions from teachers and academic staff - like 'why my grade is 99 and not 100!'...

To those question in - most cases - they attach some documents to prove their case. Those documents stored on some storage and later presented to the other side. In the first versions of our application, that was done by creating some <a> elements on the page linked to the document. As concerns regarding security/privacy come into focus, we decided that we have to find a way to hide information about the location of the documents and prevent watching those documents at any later time.

The Solution

Step One - Remove document information from client

We replaced the <a> with a button. On that button, the only information we have is the identifier of the document to be shown - we already had a table where references to all the documents are stored so we only use that tables' id...

<asp:Button ID="idShow" runat="server" Text="View Document" 
        CommandName="Show" CommandArgument="[document-id]" 
        OnCommand="ButtonCommand" /> 

For totally removing information, we pass even that document-id on the session - so no way client can see and reuse it...

protected void ButtonCommand ( Object sender, CommandEventArgs e )
  Button oBtn = ( Button )sender;
  if ( oBtn.CommandName == "Show" )
    Session.Add( "file_id", oBtn.CommandArgument );
    ScriptManager.RegisterStartupScript( this, this.GetType( ), "showFile", 
    "'FileStream.aspx')", true );

There is a flaw in this solution, as most modern browsers will block the new window we try to open as a suspected popup. However, according the security experts, we are working with it's ain't problem, and that bit of involvement of the end user is expected...

Step Two - Render the document

The most important part is how we use the document-id we received. Use and destroy! So after rendering the document once even page refresh will result in some kind of missing document.

int nID = Convert.ToInt32( Session[ "file_id" ] );
Session.Remove( "file_id" ); 

DocumentDetails oDocumentDetails = oDAL.GetDocumentDetails( nID ); 

With that code, we have all the information on the requested document so we can move to the rendering phase...

string szPath = Server.MapPath( Path.Combine( oDocumentDetails.Path ) );
Response.Clear( );
Response.ContentType = MimeMapping.GetMimeMapping( szPath );
Response.TransmitFile( szPath )
Response.End( ); 

This is maybe the most simple code you ever saw. The only catchy part is the ContentType. You have to put there the right MIME type for your document, otherwise your browser may display it as gibberish.

In this sample, I use a .NET 4.5 feature - GetMimeMapping, however in older application, you may write a method (with some switch-case) to retrieve the correct MIME type.

How It Looks Like

In the image, you can see that while the user opened two different documents, the address bar of both is the same. On the other hand, the browser knows exactly well how to handle the document as we send the correct MIME type...

Demo Code

The code represented inside the tip will not compile into a full solution - however the attached demo contains a full - working solution...


You will notice that not a bit of information about the origin of the document made known to the client machine, so even on a shared computer will no security/privacy problem present itself...


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Kornfeld Eliyahu Peter
Software Developer (Senior)
Israel Israel
Born in Hungary, got my first computer at age 12 (C64 with tape and joystick). Also got a book with it about 6502 assembly, that on its back has a motto, said 'Try yourself!'. I believe this is my beginning...

Started to learn - formally - in connection to mathematics an physics, by writing basic and assembly programs demoing theorems and experiments.

After moving to Israel learned two years in college and got a software engineering degree, I still have somewhere...

Since 1997 I do development for living. I used 286 assembly, COBOL, C/C++, Magic, Pascal, Visual Basic, C#, JavaScript, HTML, CSS, PHP, ASP, ASP.NET, C# and some more buzzes.

Since 2005 I have to find spare time after kids go bed, which means can't sleep to much, but much happier this way...

Free tools I've created for you...

You may also be interested in...


Comments and Discussions

Questioncould you put some screenshots? Pin
Southmountain22-Jan-14 4:44
memberSouthmountain22-Jan-14 4:44 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.161021.1 | Last Updated 22 Jan 2014
Article Copyright 2014 by Kornfeld Eliyahu Peter
Everything else Copyright © CodeProject, 1999-2016
Layout: fixed | fluid