Have you ever considered your container to be personal? This will prevent people from directly loading drops. By doing this, you have full control over who can upload files and how long they can do it.
Suppose that only registered users can upload a file, and you are using ASP.NET MVC. Then you may have an action like this:
[Authorize] public ActionResult Download(string blobName) { CountDownload(blobName); var blobClient = storageAccount.CreateCloudBlobClient(); var container = blobClient.GetContainerReference(containerName); var blob = container.GetBlobReference(blobname); var sas = blob.GetSharedAccessSignature ( new SharedAccessPolicy { Permissions = SharedAccessPermissions.Read, SharedAccessStartTime = DateTime.Now.ToUniversalTime(), SharedAccessExpiryTime = DateTime.Now.ToUniversalTime().AddHours(1) } ); return Content(blob.Uri.AbsoluteUri + sas); }
What does it mean:
- The Authorize attribute allows only users who are logged in to access this action.
- You increase downloads for this blob
- You get a blob link based on name
- You create a signature that allows you to download blob within 1 hour
- You are returning the blob URL with the signature (you can also redirect it to the blob url)
By sending a signed URL through your application, you have full control, and you can even look at other scenarios like CAPTCHA, pay for downloads, advanced permissions in your application, ...