Link to home
Start Free TrialLog in
Avatar of lalkacr
lalkacrFlag for United States of America

asked on

hide url/query string in address bar for asp.net

i am writing a asp.net 2.0/vb.net site and i need to pass a client# to a page to pull up a client specific pdf. I don't want to allow the name.pdf to show in the address bar...because someone could just change the name of the pdf to view someone else's info. how do i hide the query string or the folder/folder/name.pdf from showing?

this is what i have as the page_Init...fires

        Response.Redirect("http://localhost/folder/folder/" & queryString)
the address bar will display:
http://www.site.com/folder/folder/name.pdf

I want :
http://www.site.com

If i can use javascript of some sort to simply hide the address bar that would be great...or just clean up the url I don't care.


thanks in advance...
Avatar of TheAnarchist
TheAnarchist

The only real way you can go about doing this is by using frames. http://www.site.com would point to the page that has the frame, and that frame would load every other page, while the URL stayed the same (because that would be the URL of the parent page - the frameset - and not the child pages.

I don't recommend this as being a good idea for a website, but if you want to mask your URLs, that's how it's done. Why do you want to mask your URLs?
ASKER CERTIFIED SOLUTION
Avatar of TheAnarchist
TheAnarchist

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You can also encrypt your query string.

.Net
 http://www.devcity.net/PrintArticle.aspx?ArticleID=47
I was thinking more on the lines of what LeeHenry suggests.  Even if you hide the URL behind a frameset, smart users can still figure out the URL.

To really secure client PDFs from being requested by an unauthorized client, you will probably have to perform some form of authentication and indirectly retrieve the PDF.

For example, you could store the PDF in a directory that isn't shared by your web server, but you could write a script that retrieves the file only if an authenticated user requests it.  Is that what you're looking for?
You could create a page that reads your now encrypted querystring (nice link LeeHenry)  and then redirect to the new page.  The C# version (I think the HttpContext line is the only one that needs changing for VB) of the code I think would be something like:
HttpContext incoming = HttpContext.Current;
incoming.RewritePath(decryptQueryString(strQueryString), False);

This will redirect the page as it should but all in the background without actually changing the URL.  If I remember rightly.  The code I have that does this is in the office and I'm working from home today.
Don't give a direct link to the pdf.  In fact, store them outside the web root.
Then create a page that checks the user's permission then does a binary write of the pdf that was passed in the query string...

'check permissions
Response.ContentType = "application/pdf"
Response.AddHeader("content-disposition", "attachment; filename=somefile.pdf;"
Response.WriteFile("path/to/users/file.pdf")
Or, you could easily replace
Response.Redirect("http://localhost/folder/folder/" & queryString)
with
Server.Execute("name.pdf")
Avatar of lalkacr

ASKER

I thank all of you for your input...when I came down to it the frameset stuff worked the easiest. I just replaced the querystring with cookie stuff. all the other solutions worked, but I could still see the link and vital info in the title bar of which you can do nothing about after a new window fires to pdf...I did not have control over the new window after that... I really liked the stuff from LeeHenry!!!! I really wanted to give you props on that one...nice man. I will be using that on a proj in the near future... all the stuff adding 'application/pdf' & "attachment; file..." would give me errors that the file would be decrypted wrong because it was sent as an email attachment???? grrrrrrrr.

thanks again