We have a library of ZIP files that we would like to make available for download at an ASP.NET site.

The files are sitting on a NAS device that is accessible from out web farm.

Here is our initial strategy:

1. Map an IIS virtual directory to the shared drive at path /zipfiles
2. Users can download the zip files when given the URL

However, if users share links to the files, anyone can download them. We would instead like to make use of the ASP.NET forms authentication in our site to validate users' requests before initiating the file transfer.

A few problems: A request for a zip file is handled by IIS, not ASP.NET. So it is not subject to forms authentication. In addition, we don't want ASP.NET to handle the request, because it uses up an ASP.NET thread and is not scalable for download of large files. So, configuring the asp.net dll to handle *.zip requests is not an option.

Any ideas on this?

One idea we've tossed around is this: Initial request for download will be for an ashx handler. This handler will, after authentication, generate a download token which is saved to a database. Then, the user is redirected to the file with token appended in QueryString (e.g. /files/xyz.zip?token=123456789). An ISAPI plugin will be used to check the token. Also, the token will expire after x amount of time. Any thoughts on this? I have not implemented an ISAPI plugin so I'm not sure if this will even work.

I would like to avoid custom coding since security is an issue and I'd prefer to use a time-tested solution.