Link to home
Start Free TrialLog in
Avatar of morcilla
morcilla

asked on

Redirect to a password protected directory using response.redirect

Hi Everyone,

How can i redirect a user to a password protected IIS5 (basic authentication) file/folder using something like response.redirect ("Http://username:password@your.url.com/file.mid")?
I am trying to do this but looks like ASP doesnt like the idea of putting sensitive user info on the url, but i guess is the only way to do what i need to do.
The basic idea is to hide the final URL, but the files will be hosted on another server, anyway the cellphone doesnt like the idea server.transfer even with the propper mime types set, that is why i am trying the response.redirect with the username and password included.

Do you know how can i do this?

thanks a lot!
ASKER CERTIFIED SOLUTION
Avatar of Göran Andersson
Göran Andersson
Flag of Sweden image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of morcilla
morcilla

ASKER


Thanks GreenGhost for the answer, but how can i do the ADODB.Stream if the binary file (midi) is located on another server?

And the weird thing is that i made a server.transfer to a midi file, i just putted the correct mime type, and it worked on the PC but not in the cell phone, so i guess is for the extension of the file, anyway i tried that with the midi located on the same server, and i guess server.transfer doenst work for files located on another servers.

I guess that to hide the URL is not the most important thing, since the user will download the file in the cell phone and looking at the url is kinda complicated there.

What do you think? how can i do this?

Thanks!
To read a file from a different server, you need to have a shared directory on the other server, that is set up so that the IUSR account on the first server can access it. You might have to use a domain controlled user account for anonymous access instead of the standard IUSR account to get this to work.

If you make a Server.Transfer to a file that is not an ASP file, it will still be executed as an ASP file. With some files this will work anyway, but some files will produce errors when ASP tries to execute them.

You can only do a Server.Transfer to a file on the same server anyway.

Does the other server have ASP capabilities? Can you put an ASP file there, that will open the correct file with ADODB.Stream and write it out? Then you could link to that file instead.

If you can use ADODB.Stream to write the files out, the files doen't even have to be available via internet. You can place them outside the wwwroot file tree so that they are only available through the ASP file.
Hey,

a simple (slightly unsecure, but more secure than having the password in the URL) way of doing it is to use the session state.

To use the session state you need to enable it in the web.config file:

<configuration>
    <system.web>
            <sessionState cookieless="true" timeout="15"/>
    </system.web>
</configuration>

cookieless can be set to false if you prefer.

When you authenticate the user you could then say
Session["User"]=txtBoxUserName.Text; //or something to that effect

Then you can set permissions to the folder in the web.config file so only certain users can access it:

      <location path="members">
            <system.web>
                  <authorization>
                        <allow users="Administrator, Fred, David" />
                        <deny users="*" />
                  </authorization>
            </system.web>
      </location>

? - guest, so alternatively, if you want everyone registered user to be allowed to access you could say

      <location path="members">
            <system.web>
                  <authorization>
                        <allow users="*" />
                        <deny users="?" />
                  </authorization>
            </system.web>
      </location>

From this to more secure forms of authentication you just need to implement forms authentication and place users in roles, but from the sound of it that's more complex than you'd like to get.

NOTE web.config HAS to be in the root of your application. (you can have versions of it not in the root, but I generally find it less confusing to put it in the root only).

in the example, members is the restricted folder.

so the address for the members folder would be www.youraddress.com/members/

you can also restrict files.

If a user attempts to access a page they dont' have access to, they get redirected to Login.aspx in your root directory.

I hope this helps
-Ashleigh