Solved

Does using response.redirect to download files reveal download location?

Posted on 2003-10-22
11
361 Views
Last Modified: 2012-08-13
Hi,

I am developing an ASP app that downloads files from a hidden folder.  I was wondering if just using the command response.redirect (folder/filename) would be sufficient enough to prevent the download folder location from being revealed in the browser?

I have tested this on my server and so far it seems to work fine (i.e. the file downloads with no reference to its folder location) but does anyone know if this is 100% compatible with all browsers or whether there is a way a user could 'force reveal' the download path?

I did originally use ADODB.Stream to deliver the file but I understand there are memory limitations on downloading binary files in this way which is not suitable for my app.  I hope you can help!
0
Comment
Question by:alphabeata
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 21

Expert Comment

by:ap_sajith
ID: 9597421
I think it might not be safe enouh. Did you try clicking on the stop  button on the browser once the response.redirect actually kicks in?. Or did u try how it would perform if there is a broken network connection once the redirect is called?. I havent tested it out.. just a hunch. I would suggest using the ADODB.Stream & FSO method of forcing a download as long as the file size is not astronomical :o).

Cheers!!
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 9597471
I think it might not be safe enouh. Did you try clicking on the stop  button on the browser once the response.redirect actually kicks in?. Or did u try how it would perform if there is a broken network connection once the redirect is called?. I havent tested it out.. just a hunch. I would suggest using the ADODB.Stream & FSO method of forcing a download as long as the file size is not astronomical :o).

Cheers!!
0
 

Author Comment

by:alphabeata
ID: 9597668
The ADODB.Stream and FSO method is what I am currently using and it works well but I do not want to place any restrictions on the file download size.  I understand that the buffer stream is limited server side so any file download request over that limit would fail.

I know that if you do a response.redirect to a music file it starts playing in your default player (e.g Windows Media Player) and it is possible to view the download location via the information that the player contains.  However I have tried it with Zip files and I cannot see any reference to the true file location.

I will try to stop a download of a large file halfway through and see if it reveals the download location.  I'll post my results here.
0
 

Author Comment

by:alphabeata
ID: 9597896
OK, I tried using the ADODB.Stream and FSO method on a binary file over 30MB in size and it completely froze on me so that's out of the question (and I'm on a T1 connection!).  Using the 'response.redirect' method creates a much more stable download easily capable of handling large binary files.  I tried to stop the download by cancelling it from the dialog box and it still didn't reveal the download folder location.

So back to my original question - does anybody know whether a user can determine the download path from a response.redirect (folder/filename)?
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 9598077
There are no issues with redirect method i suppose..

Cheers!!
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 58

Expert Comment

by:Gary
ID: 9598217
Even if they find the original location whats the problem?  If the folder is hidden then its not accessible through a browser.
0
 
LVL 29

Expert Comment

by:Göran Andersson
ID: 9598740
Certainly a user can determine the location of the file.

I think that this will show the address: Copy the URL of the original link, and paste that in a browser window. The server runs the page and returns the new address to the browser. The address of the "hidden" folder should be visible in the address field.

How do you use the ADODB.Stream to read the file? Do you read the entire file into a variable before writing it to the response stream? That would most certainly kill the server if the file size is larger than the free memory on the server...
0
 
LVL 29

Expert Comment

by:Göran Andersson
ID: 9598752
> Even if they find the original location whats the problem?  If the folder is hidden then its not accessible through a browser.

To use Response.Redirect, the file has to be accessible through a browser.
0
 

Author Comment

by:alphabeata
ID: 9599181
Sorry, by hidden I mean not known to the user and not published as a link on the website.  I want it to remain a secret.  The folders attribute is not set to 'hidden'.

I have copied and pasted the URL of the original link into a browser window (which calls an ASP page with encrypted variables in the querystring to determine the file location) and using response.redirect the folder/file location is not revealed in the browser but immediately opens up a file download dialog box prompting the user to open or save the file.

This is fine as it is the desired result I am looking for, however I need to know if a user could bypass this or in any way reveal the full download URL?

0
 
LVL 29

Accepted Solution

by:
Göran Andersson earned 125 total points
ID: 9602405
As the redirected URL is sent to the browser, it's certainly possible to reveal it.

For an example, there are download managers that takes over the downloads from the browser. The browser sends the URL to the download manager to do the download. I bet some of the download managers reveal the full URL of the file. Also, you could make a fake download manager, that only recieves the URL from the browser and displays it.

That was one example. I bet there are even easier ways of doing it...

Doesn't some browsers show the URL in the download status window even? If you pull the network cable during the download, doesn't the error message reveal the URL?
0
 

Author Comment

by:alphabeata
ID: 9604879
Aaah.. of course!  So obvious as well!  Thanks GreenGhost, the download managers would be the culprits.  You get the points.  Thanks for all your help.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now