We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Restrict download of exe file

PLavelle
PLavelle asked
on
Medium Priority
476 Views
Last Modified: 2012-05-04
I want to provide a link to my company's setup program on our website. I only want to allow logged in users to be able to access and download this file. However, once the user is able to view the path to the file, what stops them from sharing this path and allowing everyone else to download the file as well? Is there anything I can do to stop this?
Comment
Watch Question

Commented:
http://www.allmyfaqs.com/faq.pl?PasswordProtect

Of course there is nothing to stop them sharing their password, or the file directly.

Author

Commented:
that link doesn't seem to work.

Author

Commented:
We're using .NET so that won't work.

Commented:
If you're running ASP.NET you can use authorization on the directory. Even if they get the URL, they won't be able to download it without logging in, as long as the file is in the same directory as the web.config file. Another option is using the built in directory security in IIS, if you have direct access to IIS Manager. Both solutions are equally secure.

This link will tell you how to set up ASP.NET authorization:
http://www.dotnetjunkies.com/quickstart/aspplus/doc/authorization.aspx

The example just checks with if(username == "bob")... If you had a lot of users it would be much more efficient to put it into a database and loop through than using an if statement for each user.

Author

Commented:
Editing the web.config file seems to let me deny access to .aspx pages, but not a setup.exe file in the same directory.
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Commented:
This is the most secure way of doing the download thing, it also works for people trying to leach files/images

Author

Commented:
effx, won't the path to the executable file be accessible to everyone in your example?

Commented:
I agree with the stream thing if you are keeping the files outside of the web root but my method is much easier to impliment plus it will not give away the file download location :-), My method will only work if you store the files on the site and not outside of the webroot, ie. Below the webroot in the directory structure

Author

Commented:
Danielcmorris, any comments on this solution compared to yours?
Well, I don't keep executables on my web root, but effx's solution certainly is easier.  Still, the file would be accessable to the public, even if they didn't see the path....  

I don't know, how secure do you want it?  I use the response.redirect type security as well, but only when I'm not all that concerned.  If this is an internal file that isn't that big a deal, well, then it isn't that big a deal and you should stick with the simplest solution.  Basically, I always go with the most simple solution I can come up with.

Maybe if i explain why I use it you will be able to decide if it is worth the effort.

99% of my clients are extra-net clients.  People who have made their internal databases web-based and are giving their people access to a specific set of files.  A lot of those files are private health information or financial information about their clients.  I can't allow that information to be scraped, so I keep those files in a separate directory on the server (it's actually not usually even on the same machine).  I give my client's internal access to that directory so they can drag & drop files into it from their office and then get to it via the extranet.  However, that information isn't ever actually "on the web", it is only available via the filesystemobject after a login.

So, for me, it has been a life saver, but if you only have one or 2 files, and their not all that critical, don't worry about it.  

-dan

Commented:
The path to the exe file will not be available it is then kept private, especialy if you are using a database to transfer to the files, for example, www.download.com they will be using the same method.

Commented:
Ok, i have a bit more time now, I will put a * next to the lines that can be copied for the advanced bit.

The file you set the download fil to woule be, for example :

   http://www.yoursite.com/verify.asp

Or for a bit more advanced :
*   http://www.yoursite.com/verify.asp?file=0001

in the verify.asp would be this code:

<%
If UserLoggedIn = True Then
  Response.Redirect("YourFile.EXE")
Else
  Response.Redirect("NotLoggedIn.ASP")
End If
%>

Or for a bit more advanced :
*<%
*'This Could Run From a database one column with id's in and another column with file paths in
*'But for ease i will use the select case method
*Select Case Request.QueryString("file")
*  Case "0001"
*    FileRedirect = "YourFile1.EXE"
*  Case "0002"
*    FileRedirect = "YourFile1.EXE"
*End Select
*If UserLoggedIn = True Then
*  Response.Redirect(FileRedirect)
*Else
*  Response.Redirect("NotLoggedIn.ASP")
*End If
*%>

When the user clicks on the link it will offer the user to save the file as verify.asp or possibly something along those lines.

This will not show the actual file location but the location of http://www.yoursite.com/verify.asp

So now the file is hidden from the user/member :-), as for the login thing if you want i could give you my login script very powerful encryption near impossble to break, anyway i hope this has enlighted you :-)
I just thought of this...

If you redirect the user to an exe, won't it bring up a big nasty warning to the user?  

usually read by my clients as:
DANGER WILL ROBINSON!  YOU ARE ABOUT TO EXECUTE A PROGRAM THAT WILL MAKE YOUR HEAD EXPLODE!

hee hee hee.  Honestly, people are freaks

Anyway, If you use that last bit from effx, you can change it a bit so the user is forced to download the program and isn't going to execute it.  (works the same for excel or word docs, so they don't open in the browser window and are forced to download.)

<%
If UserLoggedIn = True Then
 ' Response.Redirect("YourFile.EXE")
 'instead.
  getfile "YourFile.EXE"
 
Else
  Response.Redirect("NotLoggedIn.ASP")
End If
%>



<%
function getfile(strfilepath)
strfilepath=server.mapath(strfilepath)
set fso=createobject("scripting.filesystemobject")
set f=fso.getfile(strfilepath)
strFileSize = f.size
set f=nothing: set fso=nothing
Const adTypeBinary = 1
Response.Clear
Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = adTypeBinary
objStream.LoadFromFile strFilePath
strFileType = "application/text" ' change to the correct content type for your file
Response.AddHeader "Content-Disposition", "attachment; filename=" & strFileName
Response.AddHeader "Content-Length", strFileSize
Response.Charset = "UTF-8"
'Response.ContentType = strFileType
Response.BinaryWrite objStream.Read
Response.Flush
objStream.Close
Set objStream = Nothing
end function
%>

-------------------
Either way, it will work fine.

Commented:
Thats good, nice

Commented:
Plus you could use this to get files from below the root of the site :-)

Commented:
One last thing, you will need to put the function before the redirect thing
you do??

Author

Commented:
These are both valid answers so I have accepted both. Danielcmorris' solution is the most secure, but I think effx's solution is important for people who don't have the ability to store files outside of the root of the site.

I have chosen to go with Danielcmorris's solution for my site, so I have posted additional points for him here:

http://oldlook.experts-exchange.com:8080/Web/Q_20942408.html

Author

Commented:
Danielcmorris,

Please accept the additional points I provided so I can close the question.

Here is the link:

http://oldlook.experts-exchange.com:8080/Web/Q_20942408.html
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.