[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Does using response.redirect to download files reveal download location?

Posted on 2003-10-22
11
Medium Priority
?
376 Views
Last Modified: 2012-08-13
Hi,

I am developing an ASP app that downloads files from a hidden folder.  I was wondering if just using the command response.redirect (folder/filename) would be sufficient enough to prevent the download folder location from being revealed in the browser?

I have tested this on my server and so far it seems to work fine (i.e. the file downloads with no reference to its folder location) but does anyone know if this is 100% compatible with all browsers or whether there is a way a user could 'force reveal' the download path?

I did originally use ADODB.Stream to deliver the file but I understand there are memory limitations on downloading binary files in this way which is not suitable for my app.  I hope you can help!
0
Comment
Question by:alphabeata
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 21

Expert Comment

by:ap_sajith
ID: 9597421
I think it might not be safe enouh. Did you try clicking on the stop  button on the browser once the response.redirect actually kicks in?. Or did u try how it would perform if there is a broken network connection once the redirect is called?. I havent tested it out.. just a hunch. I would suggest using the ADODB.Stream & FSO method of forcing a download as long as the file size is not astronomical :o).

Cheers!!
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 9597471
I think it might not be safe enouh. Did you try clicking on the stop  button on the browser once the response.redirect actually kicks in?. Or did u try how it would perform if there is a broken network connection once the redirect is called?. I havent tested it out.. just a hunch. I would suggest using the ADODB.Stream & FSO method of forcing a download as long as the file size is not astronomical :o).

Cheers!!
0
 

Author Comment

by:alphabeata
ID: 9597668
The ADODB.Stream and FSO method is what I am currently using and it works well but I do not want to place any restrictions on the file download size.  I understand that the buffer stream is limited server side so any file download request over that limit would fail.

I know that if you do a response.redirect to a music file it starts playing in your default player (e.g Windows Media Player) and it is possible to view the download location via the information that the player contains.  However I have tried it with Zip files and I cannot see any reference to the true file location.

I will try to stop a download of a large file halfway through and see if it reveals the download location.  I'll post my results here.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:alphabeata
ID: 9597896
OK, I tried using the ADODB.Stream and FSO method on a binary file over 30MB in size and it completely froze on me so that's out of the question (and I'm on a T1 connection!).  Using the 'response.redirect' method creates a much more stable download easily capable of handling large binary files.  I tried to stop the download by cancelling it from the dialog box and it still didn't reveal the download folder location.

So back to my original question - does anybody know whether a user can determine the download path from a response.redirect (folder/filename)?
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 9598077
There are no issues with redirect method i suppose..

Cheers!!
0
 
LVL 58

Expert Comment

by:Gary
ID: 9598217
Even if they find the original location whats the problem?  If the folder is hidden then its not accessible through a browser.
0
 
LVL 29

Expert Comment

by:Göran Andersson
ID: 9598740
Certainly a user can determine the location of the file.

I think that this will show the address: Copy the URL of the original link, and paste that in a browser window. The server runs the page and returns the new address to the browser. The address of the "hidden" folder should be visible in the address field.

How do you use the ADODB.Stream to read the file? Do you read the entire file into a variable before writing it to the response stream? That would most certainly kill the server if the file size is larger than the free memory on the server...
0
 
LVL 29

Expert Comment

by:Göran Andersson
ID: 9598752
> Even if they find the original location whats the problem?  If the folder is hidden then its not accessible through a browser.

To use Response.Redirect, the file has to be accessible through a browser.
0
 

Author Comment

by:alphabeata
ID: 9599181
Sorry, by hidden I mean not known to the user and not published as a link on the website.  I want it to remain a secret.  The folders attribute is not set to 'hidden'.

I have copied and pasted the URL of the original link into a browser window (which calls an ASP page with encrypted variables in the querystring to determine the file location) and using response.redirect the folder/file location is not revealed in the browser but immediately opens up a file download dialog box prompting the user to open or save the file.

This is fine as it is the desired result I am looking for, however I need to know if a user could bypass this or in any way reveal the full download URL?

0
 
LVL 29

Accepted Solution

by:
Göran Andersson earned 500 total points
ID: 9602405
As the redirected URL is sent to the browser, it's certainly possible to reveal it.

For an example, there are download managers that takes over the downloads from the browser. The browser sends the URL to the download manager to do the download. I bet some of the download managers reveal the full URL of the file. Also, you could make a fake download manager, that only recieves the URL from the browser and displays it.

That was one example. I bet there are even easier ways of doing it...

Doesn't some browsers show the URL in the download status window even? If you pull the network cable during the download, doesn't the error message reveal the URL?
0
 

Author Comment

by:alphabeata
ID: 9604879
Aaah.. of course!  So obvious as well!  Thanks GreenGhost, the download managers would be the culprits.  You get the points.  Thanks for all your help.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:   The Exchange of informatio…
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question