My website creates a file and stores it in a specific location unique to the user who is authenticated. My first question is:
1) If you use a hyperlink to access the file, it displays the full path to the file including the folder in the lower left corner of the browser. I suppose there is nothing that can be done about this? Is there are way to mask the url showing down there? I'm talking about when you hover your mouse over the link
and
2) After you click the link, the full path is shown in the browser bar. My website contains sensitive information. Now, if I go into the url and remove the actual file name and just leave the full path with the folder at the end, an unauthorized message will appear when I attempt to access the folder. That's good, but any hacker would know the folder where the file was stored. I have a small web.config under my users folder:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="user" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
Should this web.config be also under every subfolder of the users directory?
My site structure is
root/users/folder of user/other folders
Is there any way that the user folder can get compromised once displayed? Can the url in the browser be masked some way when viewing a file via hyperlink? If not, how does one download a file from a website using SaveAs to their computer without displaying the url to the file?