• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 522
  • Last Modified:

only logged in users can see files ?

Hi all,

I have a site like this:
- login.asp: users log in with a username and password
- home.asp: if log in is succescul, a list of links is shown. Some links are links to documents in our server. But these documents should only be seen by authorized users (i.e. logged in users). (for example, one link shows our file aaa.doc)

If someone who is not logged in, or doesn't even know about our system, write this URL in their browser:
www.oursite.com/home.asp.... they are automatically redirected to login.asp

However, if this same person writes:
www.oursite.com/aaa.doc.... there's no way to redirect them to login.asp, and the file is shown to unauthorized users.

Note that authorized users of this site are web users, not server users. So I do *NOT* want to protect the folder and make them write a server username and password every time they try to access the document url. I want them to be redirected to login.asp every time they write www.oursite.com/aaa.doc on their browsers.

Any thoughts?

Thanks!
0
VenezuelanGirl
Asked:
VenezuelanGirl
  • 17
  • 6
  • 6
  • +4
2 Solutions
 
kevp75Commented:
there isn't a scripting method to do what you need.  Your best bet to protect those files is to put them inside a folder in your root and set user permissions on the folder, making them login.  or....

you could, do like I said by putting them inside another folder in your root, but use a database to store the path information.  Then when you need to link to the files, link via a recordset.  Just use the records ID as the link, to open the document, via another file that would load it
(this doesn't really solve the issue, but it does hide a bit...)

other than that I am afraid you may be out of luck
0
 
NovoNordiskCommented:
Are they all documents that are listed on the page?  If so you could write a script to display the document links on an asp page but make the page only available to the authenticated users?
0
 
WMIFCommented:
i believe that the proper way to lock down your files is to hide them like the above experts have pointed out, but you present them to the user through a binary stream instead of just pointing to the file itself.  i am by no means an expert with this method as i have not even attemped it, but i know that it works.  i think that the expert here sybe is good with the binary streams.

check out these questions for some example code.

secure file download (Binary File) - http:Q_20409851.html (sybe is in this one)
Downloaded Word Document loses its format - http:Q_20715355.html
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
B_DorseyCommented:
Build in an ISAPI filter to see if the user is logged in!

Basically if I am not mistaken then an ISAPI running on IIS will execute first... so check if the user is logged in and then proceed with whatever needs to be done.

b
0
 
VenezuelanGirlAuthor Commented:
Thank you for all the answers.

B_Dorsey: Could you please elaborate a little bit more on the ISAPI filter, what will it exactly do? how should I implement it? It's the first time I hear about it.

With regards the other 3 answers, they are good, but I think they'll only work if the file is accesed through my system, however, they don't solve the problem on not authorized users accesing the file by writing the url path in their browsers.


How about having an user in the IIIS server (say USERWEB), who has access to the folder where the documents are. So, every time someone logs in through login.asp, that person is also automatically logged in the server as USERWEB, and thus has access to the files. It's like, loggin in the server through an ASP page, so the user won't be prompted with the server window asking for username and password, and just has to fill their info in the login.asp page. Is something like this possible?  Thanks


0
 
WMIFCommented:
>>they don't solve the problem on not authorized users accesing the file by writing the url path in their browsers.

this is incorrect.  by locating the files on a lower level than the website, the users wont be able to type in the url and get to them.

c:
  -websites
    -webapp
      -docs
      -wwwroot
        -images

with your site pointed to the 'wwwroot' folder, the 'docs' folder is out of reach of the url of the site.  it is not out of reach of your asp scripts though.
0
 
VenezuelanGirlAuthor Commented:
Thanks for the info WMIF !

By now, every time I wanted to show a file to the registered users, I did something like this:

<a href='www.oursite.com/aaa.doc'>link</a>

When you say:
>> with your site pointed to the 'wwwroot' folder, the 'docs' folder is out of reach of the url of the site.  it is not out of reach of your asp scripts though.

How can I access those docs through an asp script, and show them to the logged in authorized users?

Thanks
0
 
VenezuelanGirlAuthor Commented:
In any case, every time I show the files to the users, why will know the URL by looking at the top blue part of the window, right? How can I prevent this?

Sorry about the trouble, I'm a bit confused. Thanks
0
 
WMIFCommented:
read through the questions i gave you links to above.  the users will not be accessing these files directly.  you will point to a page that will retrieve the contents of the doc files, and stream that to the browser.
0
 
VenezuelanGirlAuthor Commented:
I read through them, and tried the code, but I just got the broswer to display things like this:

?>rBD:M?CQ?kR6(W? ^?I^?_}[c^2f??Nr?%s tMOy???>?~?*???    etc...


any thoughts?
0
 
WMIFCommented:
not really, because i have not used this method as i mentioned above.  i was just trying to point you to the method.
0
 
kevp75Commented:
your browser is displaying the binary content of the file being sent to it.

if I'm not mistaken (which I may)  WMIF's second link porvides the solution for that issue.
0
 
B_DorseyCommented:
I forget, its been a while since I used it, but creating an ISAPI filter that you register with IIS would not be too difficult.

I used one called http://www.helicontech.com/HotlinkBlocker/

Its a plugin to IIS, its usually used to protect leeching, but can be used to make sure the user is logged in also... take a look at it see if it helps.

If not try doing a search for ISAPI session checkers or something like that, that way you can tell if the user has a valid session that you specify or cookie.

Hope it helps.

B
0
 
VenezuelanGirlAuthor Commented:
Yeah, I already tried the first and second link, and I always get the funny characters.

Any thoughts on how to solve the original problem?  :-(
0
 
VenezuelanGirlAuthor Commented:
Thanks B Borsey.... that sounds like a good option.. the only thing is that it costs $99... I was looking for something I could code on my own, or in any case, something a little bit cheaper.
0
 
B_DorseyCommented:
There are a few that are cheaper, too me its just easier then trying all kinds of bells and whistles to make stuff work. Google it a bit and Im sure you will find some others that are alot cheaper. They work great thats why I suggested them. If I find my links to the others that do the same thing I will post them

take care, good luck

b
0
 
fritz_the_blankCommented:
To follow WMIF's excellent suggestion of placing the files in sibling or parent directories, one possible step forward would be to stream your files. Here is some sample code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE> New Document </TITLE>
<%
Function downloadFile( strFile, strDownloadFilename )
     Dim strFilename,objStream,objFilesystem,objFilestream
     Dim intFileLength
     ' get full path of specified file
     strFilename = server.MapPath(".")  & "\" & strFile
     ' clear the buffer
     Response.Buffer = True
     Response.Clear

     ' create stream
     Set objStream = Server.CreateObject("ADODB.Stream")
     objStream.Open

     ' set as binary
     objStream.Type = 1

     ' check the file exists
     Set objFilesystem = Server.CreateObject("Scripting.FileSystemObject")
     if not objFilesystem.FileExists(strFilename) then
          Response.Write("<h1>Error</h1>: " & strFilename & " does not exist<p>")
          Response.End
     end if


     ' get length of file
     Set objFilestream = objFilesystem.GetFile( strFilename )
     intFilelength = objFilestream.size
 
     objStream.LoadFromFile( strFilename )
     if err then
          Response.Write("<h1>Error: </h1>" & err.Description & "<p>")
          Response.End
     end if
     
     'format strFileName
     if Len( Trim(strDownloadFilename) ) > 0 then
          strDownloadFilename = Trim( strDownloadFilename )
     else
          strDownloadFilename = objFilestream.name
     end if
'     Response.ContentType = "SENTREnet"

     ' send the headers to the users browser
     Response.AddHeader "Content-Disposition", "attachment; filename=" & strDownloadFilename
     Response.AddHeader "Content-Length", intFilelength
     Response.Charset = "UTF-8"

     ' output the file to the browser
      for i = 0 to objStream.size
            i = i + 128000
            Response.BinaryWrite(objStream.Read(128000))
            Response.Flush
      next

     ' tidy up
     objFilestream.Close
     Set objFilestream = Nothing
End Function
%>
</HEAD>

<BODY>
<%
Call downloadFile("YourFileName.zip", "YourFileHowItAppears.zip" )
%>
</BODY>
</HTML>


FtB
0
 
kevp75Commented:
Comment from kevp75
Date: 05/26/2006 12:03PM PDT
 Your Comment  


your browser is displaying the binary content of the file being sent to it.

if I'm not mistaken (which I may)  WMIF's second link porvides the solution for that issue.


------------------------------------------------------------------------------------------------------------

which is also the code fritz just posted, and it will do the trick
0
 
fritz_the_blankCommented:
I may be misunderstanding one of the posts above, but I think that your directory structure should be like this:

C:
    webroot
    documents

This way, the URL points at webroot, and there is no way to get at the documents. If you do this:

C:
    webroot
       documents

then it would be possible to do www.YourSite.com/documents/somefile.pdf

and download it. So sibling or parent directories are the best way to go for security.

FtB
0
 
kevp75Commented:
true fritz, but I think the whole point is to not be able to go like this www.YourSite.com/documents/somefile.pdf

I agree with WMIF, have your document directory in the same level as your webroot, and just allow IUSR access to it.  Then write your code for the documents download and use a physical path to be the document dir.

so instead of pointing to c:\webroot\documents\
 point it to c:\documents\ and let the code initiate the download from there.

to point out directly...use fritz's code, just change this line:
strFilename = server.MapPath(".")  & "\" & strFile

to be

strFilename = "c:\documents\" & strFile
0
 
fritz_the_blankCommented:
kevp75--

I think that we are saying the same thing. My first example is what to do, the second is what not to do and why.

FtB
0
 
kevp75Commented:
DOH!

so the now the issue at hand, is why is it still displaying the document as binary...I'm wondering now if the code has been updated to what was suggested above, as I do not have the issue he/she is having.  I use something very similar to it here..http://www.portalfanatic.com/filemanager/filem.asp?fcID=8  (click the little floppy icon)

the files here are outside of the website's root folder and the download function uses the ado stream, but as you can see it just prompts you to save or open.
0
 
fritz_the_blankCommented:
I think that it depends on the file type. If your browser recognizes the type, it will offer the option of opening in the browser. I got around that somehow before, but it was convoluted, and I suspect that different browsers will react in different ways.

FtB
0
 
kevp75Commented:
i don't know if it'll help at all but here is hte function that I use.  So far, every file gets prompted to save or open....
Private Sub DownloadFile(file)
      Dim strAbsFile
      Dim strFileExtension
      Dim objFSO
      Dim objFile
      Dim objStream
      strAbsFile = file
      Set objFSO = createobject("Scripting.FileSystemObject")
            If objFSO.FileExists(strAbsFile) Then
                  Set objFile = objFSO.GetFile(strAbsFile)
                        Response.Clear
                        Response.AddHeader "Content-Disposition", "attachment; filename=" & objFile.Name
                        Response.AddHeader "Content-Length", objFile.Size
                        Response.ContentType = "application/octet-stream"
                        Set objStream = createobject("ADODB.Stream")
                              objStream.Open
                                    objStream.Type = 1
                                    Response.CharSet = "UTF-8"
                                    objStream.LoadFromFile(strAbsFile)
                                    Response.BinaryWrite(objStream.Read)
                                    closeWindow()
                              objStream.Close
                        Set objStream = Nothing
                  Set objFile = Nothing
            Else  'objFSO.FileExists(strAbsFile)
                  Response.Clear
                  Write("No such file exists.")
            End If
      Set objFSO = Nothing
End Sub

I call it like this:

'get my recordset based on the file's ID#

'set my physical path
strFile = "c:\files\" & rs("filePath") & rs("FileExt")

'Call the download
Call DownloadFile(strFile)



so far it seems to work with all file types, in all browsers.  However, there are alot of file types that I have not been able to test it with.
0
 
B_DorseyCommented:
kevp75,

Sorry for OT'ng

I have been wondering about something with your code, when the user is prompted to open or download a file, if they choose download, does the user get a "[1]" in the file name?

Sorry for OT'ng

b
0
 
kevp75Commented:
not that I personally have noticed.  I would imagine that the [1] would be in there if they download the same file more than once in the same session, but I could be wrong.

OT'ng.....don't even worry about it, that's what we're here for   :)
0
 
B_DorseyCommented:
I get it cause it seems to be a copy when I use other scripts to try and hide my downloads.... seems the server acts like it has it already and is now downloading it again and handing it off to the client, hence the [1].... every file, everytime.... have never been able to get rid of the [1]

thx
b
0
 
kevp75Commented:
odd.  The [1] doesn't show up here http://www.portalfanatic.com/filemanager/filem.asp?fcID=7

but here it does http://www.portalfanatic.com/filemanager/filem.asp?fcID=8

i wonder if it something to do with the browsers interprutation of the file type?

I'm not sure what to say.  It only seems like it would be an annoyance, if it is absolutly necessary to keep the same filename for the file being downloaded.  I don't believe there would be a way around it., unless may you randomly generate the filename for each download, on each download.  for example:

i go and download doc.zip twice the first time would be

ohoikjkjk.zip

the second time would be
kkkkliioo.zip
0
 
chisholmdCommented:
Sorry to butt in but I just answered a similiar question at:

http://www.experts-exchange.com/Web/Web_Languages/ASP/Q_21864337.html

It uses ServerXMLHTTP and 7 lines of code. It should work in this instance as well.
0
 
kevp75Commented:
tell me chicholmd, is that method for a cookie/session based login, or is it for windows authentication?   I only ask, because it looks like the latter, and now I'm wondering if the questioners login system is also the same.

@VenezuelanGirl
Do you use windows authentication to do your login, or is it session/cookie based?
0
 
kevp75Commented:
@chisholmd
I'm also wondering if you can set the content type to be unidentified, I noticed your script is for a pdf file, but what about a zip, doc, txt, etc...
0
 
chisholmdCommented:
Well it shouldn't be hard to google for the mime types of the most expected files. DOC,XLS, or whatever and then set the type based on the extenstion.

if "doc" then "application/msword" or whatever

Ummm...if you omit the mime type and just use the
Response.AddHeader "Content-Disposition", "attachment; filename=" & strDownloadFilename

Then it should prompt the person to save to disk right?






0
 
kevp75Commented:
@chisholmd
no offense intended, just curious.

Response.AddHeader "Content-Disposition", "attachment; filename=" & strDownloadFilename

would not necessarily prompt the user.
0
 
chisholmdCommented:
No offense takena and I hope I didn't sound annoyed or anything :)

I thought the "Attachment" part was supposed to cause the browser to treat it as a download rather then a load with plugin but maybe not eh.  I mostly use that header it to provide a proper name.
0
 
kevp75Commented:
i'd be curious to know the outcome...

(it was a good discussion...)
0
 
fritz_the_blankCommented:
Of course, I am rooting for http:#16771719

FtB
0
 
kevp75Commented:
fritz...  how do you know the post ID? to be able to do the http://#16771719  ?
0
 
fritz_the_blankCommented:
I can see the post ids in admin mode. Have you tried viewing the source of the page to see if it's there in normal mode?

FtB
0
 
kevp75Commented:
ah.  

nah, too much to go through for such a minor thing     :)
0
 
WMIFCommented:
the id is in the source of the page.  ive seen it before, but its too much hassle just to point out a post in a certain question.  
0
 
kevp75Commented:
yeah....I sifted through a few minutes after my last post.  Way too much to go through for such a little thing  :)

It's be a nice little addition though....maybe right next to the posters name  (hint hint, nudge nudge)  :)
0
 
kevp75Commented:
just curious WMIF, but how can you accept your own answer as part of the split, when you point out the fact the posts above yours are pointing the questioner in the right direction?

I don't care about points, or even getting in on this split, it just seems a little like favortism to be able to accept your own answer (especially since you point out in that post...)

Just my 2 cents, but if anyone should get the points it should be full marks to fritz.
0
 
WMIFCommented:
>>if I'm not mistaken (which I may)  WMIF's second link porvides the solution for that issue.

you also thought that i provided a solution in your comment here.


i referenced part of a suggestion before mine, but a different approach.  perhaps all of us should get points because we are all suggesting that some code should be typed out?
0
 
kevp75Commented:
not a bad idea.   I just wish the questioner would participate a little  :)
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 17
  • 6
  • 6
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now