How to prevent downloading....

Hi,
how can I prevent someone from downloading a file from my server.
For ex. my server is www.adil.com and on the root dir. I've a file mydoc.doc. Now any body can download this file by giving the url www.adil.com/mydoc.doc
Is there any way so that only authorised users can download this file.
There is a site www.i-drive.com They are doing the same thing. They use SessionID to allow user to download a file. Without the sessionID, you can't download file.
How can be this implemented?
LVL 1
m_adilAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mkdebontCommented:
It can't. Each file you are viewing online is saved in the cache.

Each webpage, pictures, sounds are saved in the temporary directory.

People (who knows!!) search in there temporary dir and have to document also.


There is no way to prevent downloading.
0
m_adilAuthor Commented:
>> Each webpage, pictures, sounds are saved in temporary directory.

it saved in temporary directory after you've visited that page. but what if you havent visited that page?

What happening in i-drive.com is that after login, you've given a unique SessionID. Now you can visit that page (mydoc.doc) only when you include that sessionID with the url. For ex.
after login I've given a sessionID say a222bcff445t8. Now I know the url of my file. its https://www.idrive.com/adil/Dropbox/b2.htm?id=2305843012434919436&JServSessionId=QV0wiFXjO.z.mQaFrV.JS12
Now if I enter just https://www.idrive.com/adil/Dropbox/b2.htm, the file will not come. To visit the file i've to give the complete url.

So how they are doing this?

To try it out, you can go to www.i-drive.com Register ur self. (its free). Upload some files and then try downloading them with out SessionID
0
m_adilAuthor Commented:
oops. did some typing mistakes.

in simple words, if i know the url of my file, then i should be able to view the file by entering its url i.e. www.idrive.com/adil/Dropbox/b2.htm
but in this case, i can not view the file until unless i include the sessionID in the url. i.e.
www.idrive.com/adil/Dropbox/b2.htm?id=2305843012434919436&JServSessionId=QV0wiFXjO.z.mQaFrV.JS12
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

mkdebontCommented:
I did goto the first link and he asked immediatly if I want to download the file. (0 bytes)

And if I tried the second file then I did get nothing.

So that is good...


To do that also ASP is required!!

With ASP you can get the sessionid and more variables.

If the sessionid is filled then you can write the page (file) otherwise you put nothing into the content of the file and the can download anything.

It isn't that hard but you must know it how to do it!!

Martijn
http://www.thekitchen.nl

In this site is also ASP used and variables!! (The hotspot)
0
mkdebontCommented:
0
m_adilAuthor Commented:
but how an asp will interact without any refference. the url i've given  
www.idrive.com/adil/Dropbox/b2.htm?id=2305843012434919436&JServSessionId=QV0wiFXjO.z.mQaFrV.JS12
is a refference to b2.htm, not any asp. and by entering this url, the browser should open b2.htm

I cant understand this thing yet.
0
TTomCommented:
Other than entering the entire URL as you have listed, how do you access the file.  Is this a site where you are a registered user?  Do you have to log in when you access the site?  Does the site store a cookie on your machine?

This has to do with authentication on the web server.  The URL you are putting in most likely is sent to a script which processes it to see if you are a valid user, and returns the page if you are.

Tom
0
m_adilAuthor Commented:
1. Is this a site where you are a registered user?  
yes, I'm a registered user there.

2. Do you have to log in when you access the site?  
Yes i've to

3. Does the site store a cookie on your machine?
No.

4. Other than entering the entire URL as you have listed, how do you access the file.
right, but upon entering the entire URL, why can't I access the file?

This is what happening there.
If there is a file(say abc.zip) on the net, and I know its URL. say it is www.somesite.com/files/abc.zip Now I should be able to download this file upon entering this URL, but in this case, I can not download the file until I include SessionID with the URL. And this sessionID is generated by the server after login.
Is the web server playing this game?
Is it possible that each request made by the client is first process by the script at the server and the script checks for the user validity, and in case of valid user, it is directed to the requested page?
0
djsansuiCommented:
I think that you guys are headed in the wrong direction here.  All M_adil needs to do is put it in a protected directory.

Upload the file to a subdirectory of the main folder.  Then you must create 2 files, an .htaccess and an .htpasswd

first, create the .htaccess file in that new directory. it should then contain the following lines:

AuthUserFile /yourpath/.htpasswd
AuthGroupFile /yourpath/.htpassgp
AuthName "Secure Directory"
AuthType Basic

<Limit GET>
require valid-user
</Limit>

Now you need to change /yourpath/ to the full path of the directory that appears in telnet when you log in to that directory.

Next create the .htpasswd file.  It is very simple, all it needs to contain are lines like this:

user:password

the password must be encrypted with a utility like the one at http://campuscgi.princeton.edu/~willman/encrypt.  to make multiple users, just have each user on a new line in the file.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TTomCommented:
m_adil:

"Is the web server playing this game?
Is it possible that each request made by the client is first process by the script at the server and the script checks for the user validity, and in case of valid user, it is directed to the requested page?"

I think your previous comment covers it.  The web server is checking to see if you are a valid user before delivering the file.

It comes down to how your server is configured for authentication.

djsansui has given details for one type of server, but you will need to check with your host about their specific capabilities for protecting pages/areas of your site.

Tom

0
m_adilAuthor Commented:
then i think I and djsansui should divide the points :-)
0
TTomCommented:
Sounds good to me. (:-}

Tom
0
djsansuiCommented:
I'll agree to that :-)

BTW: anyone notice EE finally made the tables strech to screen width?
0
m_adilAuthor Commented:
yup and this is good.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
HTML

From novice to tech pro — start learning today.