Does using response.redirect to download files reveal download location?

Hi,

I am developing an ASP app that downloads files from a hidden folder.  I was wondering if just using the command response.redirect (folder/filename) would be sufficient enough to prevent the download folder location from being revealed in the browser?

I have tested this on my server and so far it seems to work fine (i.e. the file downloads with no reference to its folder location) but does anyone know if this is 100% compatible with all browsers or whether there is a way a user could 'force reveal' the download path?

I did originally use ADODB.Stream to deliver the file but I understand there are memory limitations on downloading binary files in this way which is not suitable for my app.  I hope you can help!
alphabeataAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ap_sajithCommented:
I think it might not be safe enouh. Did you try clicking on the stop  button on the browser once the response.redirect actually kicks in?. Or did u try how it would perform if there is a broken network connection once the redirect is called?. I havent tested it out.. just a hunch. I would suggest using the ADODB.Stream & FSO method of forcing a download as long as the file size is not astronomical :o).

Cheers!!
0
ap_sajithCommented:
I think it might not be safe enouh. Did you try clicking on the stop  button on the browser once the response.redirect actually kicks in?. Or did u try how it would perform if there is a broken network connection once the redirect is called?. I havent tested it out.. just a hunch. I would suggest using the ADODB.Stream & FSO method of forcing a download as long as the file size is not astronomical :o).

Cheers!!
0
alphabeataAuthor Commented:
The ADODB.Stream and FSO method is what I am currently using and it works well but I do not want to place any restrictions on the file download size.  I understand that the buffer stream is limited server side so any file download request over that limit would fail.

I know that if you do a response.redirect to a music file it starts playing in your default player (e.g Windows Media Player) and it is possible to view the download location via the information that the player contains.  However I have tried it with Zip files and I cannot see any reference to the true file location.

I will try to stop a download of a large file halfway through and see if it reveals the download location.  I'll post my results here.
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

alphabeataAuthor Commented:
OK, I tried using the ADODB.Stream and FSO method on a binary file over 30MB in size and it completely froze on me so that's out of the question (and I'm on a T1 connection!).  Using the 'response.redirect' method creates a much more stable download easily capable of handling large binary files.  I tried to stop the download by cancelling it from the dialog box and it still didn't reveal the download folder location.

So back to my original question - does anybody know whether a user can determine the download path from a response.redirect (folder/filename)?
0
ap_sajithCommented:
There are no issues with redirect method i suppose..

Cheers!!
0
GaryCommented:
Even if they find the original location whats the problem?  If the folder is hidden then its not accessible through a browser.
0
Göran AnderssonCommented:
Certainly a user can determine the location of the file.

I think that this will show the address: Copy the URL of the original link, and paste that in a browser window. The server runs the page and returns the new address to the browser. The address of the "hidden" folder should be visible in the address field.

How do you use the ADODB.Stream to read the file? Do you read the entire file into a variable before writing it to the response stream? That would most certainly kill the server if the file size is larger than the free memory on the server...
0
Göran AnderssonCommented:
> Even if they find the original location whats the problem?  If the folder is hidden then its not accessible through a browser.

To use Response.Redirect, the file has to be accessible through a browser.
0
alphabeataAuthor Commented:
Sorry, by hidden I mean not known to the user and not published as a link on the website.  I want it to remain a secret.  The folders attribute is not set to 'hidden'.

I have copied and pasted the URL of the original link into a browser window (which calls an ASP page with encrypted variables in the querystring to determine the file location) and using response.redirect the folder/file location is not revealed in the browser but immediately opens up a file download dialog box prompting the user to open or save the file.

This is fine as it is the desired result I am looking for, however I need to know if a user could bypass this or in any way reveal the full download URL?

0
Göran AnderssonCommented:
As the redirected URL is sent to the browser, it's certainly possible to reveal it.

For an example, there are download managers that takes over the downloads from the browser. The browser sends the URL to the download manager to do the download. I bet some of the download managers reveal the full URL of the file. Also, you could make a fake download manager, that only recieves the URL from the browser and displays it.

That was one example. I bet there are even easier ways of doing it...

Doesn't some browsers show the URL in the download status window even? If you pull the network cable during the download, doesn't the error message reveal the URL?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
alphabeataAuthor Commented:
Aaah.. of course!  So obvious as well!  Thanks GreenGhost, the download managers would be the culprits.  You get the points.  Thanks for all your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.