Solved

Restrict download of exe file

Posted on 2004-03-29
22
450 Views
Last Modified: 2012-05-04
I want to provide a link to my company's setup program on our website. I only want to allow logged in users to be able to access and download this file. However, once the user is able to view the path to the file, what stops them from sharing this path and allowing everyone else to download the file as well? Is there anything I can do to stop this?
0
Comment
Question by:PLavelle
  • 8
  • 7
  • 4
  • +2
22 Comments
 
LVL 17

Expert Comment

by:dorward
ID: 10707824
http://www.allmyfaqs.com/faq.pl?PasswordProtect

Of course there is nothing to stop them sharing their password, or the file directly.
0
 

Author Comment

by:PLavelle
ID: 10707838
that link doesn't seem to work.
0
 
LVL 17

Expert Comment

by:dorward
ID: 10707952
0
 

Author Comment

by:PLavelle
ID: 10707964
We're using .NET so that won't work.
0
 
LVL 15

Expert Comment

by:Timbo87
ID: 10708138
If you're running ASP.NET you can use authorization on the directory. Even if they get the URL, they won't be able to download it without logging in, as long as the file is in the same directory as the web.config file. Another option is using the built in directory security in IIS, if you have direct access to IIS Manager. Both solutions are equally secure.

This link will tell you how to set up ASP.NET authorization:
http://www.dotnetjunkies.com/quickstart/aspplus/doc/authorization.aspx

The example just checks with if(username == "bob")... If you had a lot of users it would be much more efficient to put it into a database and loop through than using an if statement for each user.
0
 

Author Comment

by:PLavelle
ID: 10708730
Editing the web.config file seems to let me deny access to .aspx pages, but not a setup.exe file in the same directory.
0
 
LVL 4

Accepted Solution

by:
Danielcmorris earned 250 total points
ID: 10710922
This may seem like a pain, but i deal with a lot of private file systems.  I don't actually place the shared files on a public area.  I use the FileSystemObject to list the files in a directory on the server, but not one within the website, a private directory which is not served.  

So, you have an asp page that shows a list of files in that directory, BUT, the links don't actually go to the file.  They all go to an asp page that opens that reads that file and then feeds it out using response.textstream.  

here is an asp example.  I'm sure you can translate it into .net:
<%
if session("loggedin")=true then

Response.Buffer = True

strFileName=request("strFileName")'

strFilePath="c:\private_files\" & strFileName

set fso=createobject("scripting.filesystemobject")
set f=fso.getfile(strfilepath)
strFileSize = f.size
set f=nothing: set fso=nothing
Const adTypeBinary = 1
Response.Clear
Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = adTypeBinary
objStream.LoadFromFile strFilePath
strFileType = "application/text" ' change to the correct content type for your file
Response.AddHeader "Content-Disposition", "attachment; filename=" & strFileName
Response.AddHeader "Content-Length", strFileSize
Response.Charset = "UTF-8"
'Response.ContentType = strFileType
Response.BinaryWrite objStream.Read
Response.Flush
objStream.Close
Set objStream = Nothing

Else

response.redirect "login.asp"
end if
%>

good luck

ps.  this technique is great if you want to force a download rather than having someone open the item up in their browser.  I use it instead of putting links to word docs and excel docs.  (I hate when they open up in the browser)
0
 
LVL 10

Assisted Solution

by:effx
effx earned 250 total points
ID: 10715803
if you are using ASP there is a much easier way to do this :

<%

If UserLoggedIn = True Then
  Response.Redirect("YourFile.EXE")
Else
  Response.Redirect("NotLoggedIn.ASP")
End If

%>

You will have to replace the "UserLoggedIn" with you session variable and the YourFile.EXE with your file and NotLoggedIn.ASP with either you login screen or unauthorised file access screen or what ever you think of
0
 
LVL 10

Expert Comment

by:effx
ID: 10715829
This is the most secure way of doing the download thing, it also works for people trying to leach files/images
0
 

Author Comment

by:PLavelle
ID: 10715834
effx, won't the path to the executable file be accessible to everyone in your example?
0
 
LVL 10

Expert Comment

by:effx
ID: 10715879
I agree with the stream thing if you are keeping the files outside of the web root but my method is much easier to impliment plus it will not give away the file download location :-), My method will only work if you store the files on the site and not outside of the webroot, ie. Below the webroot in the directory structure
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:PLavelle
ID: 10715901
Danielcmorris, any comments on this solution compared to yours?
0
 
LVL 4

Expert Comment

by:Danielcmorris
ID: 10716125
Well, I don't keep executables on my web root, but effx's solution certainly is easier.  Still, the file would be accessable to the public, even if they didn't see the path....  

I don't know, how secure do you want it?  I use the response.redirect type security as well, but only when I'm not all that concerned.  If this is an internal file that isn't that big a deal, well, then it isn't that big a deal and you should stick with the simplest solution.  Basically, I always go with the most simple solution I can come up with.

Maybe if i explain why I use it you will be able to decide if it is worth the effort.

99% of my clients are extra-net clients.  People who have made their internal databases web-based and are giving their people access to a specific set of files.  A lot of those files are private health information or financial information about their clients.  I can't allow that information to be scraped, so I keep those files in a separate directory on the server (it's actually not usually even on the same machine).  I give my client's internal access to that directory so they can drag & drop files into it from their office and then get to it via the extranet.  However, that information isn't ever actually "on the web", it is only available via the filesystemobject after a login.

So, for me, it has been a life saver, but if you only have one or 2 files, and their not all that critical, don't worry about it.  

-dan
0
 
LVL 10

Expert Comment

by:effx
ID: 10725200
The path to the exe file will not be available it is then kept private, especialy if you are using a database to transfer to the files, for example, www.download.com they will be using the same method.
0
 
LVL 10

Expert Comment

by:effx
ID: 10725365
Ok, i have a bit more time now, I will put a * next to the lines that can be copied for the advanced bit.

The file you set the download fil to woule be, for example :

   http://www.yoursite.com/verify.asp

Or for a bit more advanced :
*   http://www.yoursite.com/verify.asp?file=0001

in the verify.asp would be this code:

<%
If UserLoggedIn = True Then
  Response.Redirect("YourFile.EXE")
Else
  Response.Redirect("NotLoggedIn.ASP")
End If
%>

Or for a bit more advanced :
*<%
*'This Could Run From a database one column with id's in and another column with file paths in
*'But for ease i will use the select case method
*Select Case Request.QueryString("file")
*  Case "0001"
*    FileRedirect = "YourFile1.EXE"
*  Case "0002"
*    FileRedirect = "YourFile1.EXE"
*End Select
*If UserLoggedIn = True Then
*  Response.Redirect(FileRedirect)
*Else
*  Response.Redirect("NotLoggedIn.ASP")
*End If
*%>

When the user clicks on the link it will offer the user to save the file as verify.asp or possibly something along those lines.

This will not show the actual file location but the location of http://www.yoursite.com/verify.asp

So now the file is hidden from the user/member :-), as for the login thing if you want i could give you my login script very powerful encryption near impossble to break, anyway i hope this has enlighted you :-)
0
 
LVL 4

Expert Comment

by:Danielcmorris
ID: 10725705
I just thought of this...

If you redirect the user to an exe, won't it bring up a big nasty warning to the user?  

usually read by my clients as:
DANGER WILL ROBINSON!  YOU ARE ABOUT TO EXECUTE A PROGRAM THAT WILL MAKE YOUR HEAD EXPLODE!

hee hee hee.  Honestly, people are freaks

Anyway, If you use that last bit from effx, you can change it a bit so the user is forced to download the program and isn't going to execute it.  (works the same for excel or word docs, so they don't open in the browser window and are forced to download.)

<%
If UserLoggedIn = True Then
 ' Response.Redirect("YourFile.EXE")
 'instead.
  getfile "YourFile.EXE"
 
Else
  Response.Redirect("NotLoggedIn.ASP")
End If
%>



<%
function getfile(strfilepath)
strfilepath=server.mapath(strfilepath)
set fso=createobject("scripting.filesystemobject")
set f=fso.getfile(strfilepath)
strFileSize = f.size
set f=nothing: set fso=nothing
Const adTypeBinary = 1
Response.Clear
Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = adTypeBinary
objStream.LoadFromFile strFilePath
strFileType = "application/text" ' change to the correct content type for your file
Response.AddHeader "Content-Disposition", "attachment; filename=" & strFileName
Response.AddHeader "Content-Length", strFileSize
Response.Charset = "UTF-8"
'Response.ContentType = strFileType
Response.BinaryWrite objStream.Read
Response.Flush
objStream.Close
Set objStream = Nothing
end function
%>

-------------------
Either way, it will work fine.
0
 
LVL 10

Expert Comment

by:effx
ID: 10725731
Thats good, nice
0
 
LVL 10

Expert Comment

by:effx
ID: 10725748
Plus you could use this to get files from below the root of the site :-)
0
 
LVL 10

Expert Comment

by:effx
ID: 10725772
One last thing, you will need to put the function before the redirect thing
0
 
LVL 4

Expert Comment

by:Danielcmorris
ID: 10726526
you do??
0
 

Author Comment

by:PLavelle
ID: 10747822
These are both valid answers so I have accepted both. Danielcmorris' solution is the most secure, but I think effx's solution is important for people who don't have the ability to store files outside of the root of the site.

I have chosen to go with Danielcmorris's solution for my site, so I have posted additional points for him here:

http://oldlook.experts-exchange.com:8080/Web/Q_20942408.html
0
 

Author Comment

by:PLavelle
ID: 10902555
Danielcmorris,

Please accept the additional points I provided so I can close the question.

Here is the link:

http://oldlook.experts-exchange.com:8080/Web/Q_20942408.html
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now