Securing content
We are planning to offer content only accessible to paying customers. Obviously, securing this content against unauthorized access is a big concern. We use IIS, right now the whole site is developed in ASP but we could use .NET if needed.
The ideas I have so far about how to do it are:
- An ASP module / CGI that checks for user and password, and if they are correct reads the file and sends it to the user. That would be secure enough, but I'm concerned about the server load that would cause a CGI sending a large binary file directly to a client, instead of letting IIS handle the sending.
- Using IIS security, as far as I know, would require creating a Windows user in the server machine for every paying customer, which is unfeasible for us.
- The most efficient way to handle it would be an ISAPI filter to check our user database before allowing access to the paying files. But developing ISAPI filters is complex stuff, and it would also mean that every time there is a server problem, the systems people would blame the filter instead of trying to fix it on their end. ;)
- Another team that uses Unix solved this very same problem creating temporary symbolic links to the files, that were deleted 15 minutes after the user accesed them. But I cannot do that on Windows. I can create virtual directories into IIS, but that would mean putting every file in a different directory, and besides, I'm not sure about creating virtual directories programatically.
What do you people think? Should I take the risk and make the ISAPI filter? Would the first option be really that bad for the server? Am I missing a much simpler way to do what i want?
Thanks in advance.
|
