Redirect to a password protected directory using response.redirect

Hi Everyone,

How can i redirect a user to a password protected IIS5 (basic authentication) file/folder using something like response.redirect ("Http://username:password@your.url.com/file.mid")?
I am trying to do this but looks like ASP doesnt like the idea of putting sensitive user info on the url, but i guess is the only way to do what i need to do.
The basic idea is to hide the final URL, but the files will be hosted on another server, anyway the cellphone doesnt like the idea server.transfer even with the propper mime types set, that is why i am trying the response.redirect with the username and password included.

Do you know how can i do this?

thanks a lot!
morcillaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Göran AnderssonCommented:
A Response.Redirect does not at all hide the final URL. Check this:
http://www.experts-exchange.com/Web/Web_Languages/ASP/Q_20774244.html

You can only do Server.Transfer to ASP files, not any other type of files.

To disclose the location of the file, you have to use an ADODB.Stream object to read the file and write it to the response stream. Exactly what you tried to do with Server.Transfer.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
morcillaAuthor Commented:

Thanks GreenGhost for the answer, but how can i do the ADODB.Stream if the binary file (midi) is located on another server?

And the weird thing is that i made a server.transfer to a midi file, i just putted the correct mime type, and it worked on the PC but not in the cell phone, so i guess is for the extension of the file, anyway i tried that with the midi located on the same server, and i guess server.transfer doenst work for files located on another servers.

I guess that to hide the URL is not the most important thing, since the user will download the file in the cell phone and looking at the url is kinda complicated there.

What do you think? how can i do this?

Thanks!
0
Göran AnderssonCommented:
To read a file from a different server, you need to have a shared directory on the other server, that is set up so that the IUSR account on the first server can access it. You might have to use a domain controlled user account for anonymous access instead of the standard IUSR account to get this to work.

If you make a Server.Transfer to a file that is not an ASP file, it will still be executed as an ASP file. With some files this will work anyway, but some files will produce errors when ASP tries to execute them.

You can only do a Server.Transfer to a file on the same server anyway.

Does the other server have ASP capabilities? Can you put an ASP file there, that will open the correct file with ADODB.Stream and write it out? Then you could link to that file instead.

If you can use ADODB.Stream to write the files out, the files doen't even have to be available via internet. You can place them outside the wwwroot file tree so that they are only available through the ASP file.
0
AshleighGreenCommented:
Hey,

a simple (slightly unsecure, but more secure than having the password in the URL) way of doing it is to use the session state.

To use the session state you need to enable it in the web.config file:

<configuration>
    <system.web>
            <sessionState cookieless="true" timeout="15"/>
    </system.web>
</configuration>

cookieless can be set to false if you prefer.

When you authenticate the user you could then say
Session["User"]=txtBoxUserName.Text; //or something to that effect

Then you can set permissions to the folder in the web.config file so only certain users can access it:

      <location path="members">
            <system.web>
                  <authorization>
                        <allow users="Administrator, Fred, David" />
                        <deny users="*" />
                  </authorization>
            </system.web>
      </location>

? - guest, so alternatively, if you want everyone registered user to be allowed to access you could say

      <location path="members">
            <system.web>
                  <authorization>
                        <allow users="*" />
                        <deny users="?" />
                  </authorization>
            </system.web>
      </location>

From this to more secure forms of authentication you just need to implement forms authentication and place users in roles, but from the sound of it that's more complex than you'd like to get.

NOTE web.config HAS to be in the root of your application. (you can have versions of it not in the root, but I generally find it less confusing to put it in the root only).

in the example, members is the restricted folder.

so the address for the members folder would be www.youraddress.com/members/

you can also restrict files.

If a user attempts to access a page they dont' have access to, they get redirected to Login.aspx in your root directory.

I hope this helps
-Ashleigh
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP

From novice to tech pro — start learning today.