Is there a way to hide/block files from being downloaded on a web site by a "web site downloader" program?
I am developing a document management system in ASP for our company's intranet. We have employees all over the country so the intranet is accessible by login/password.
The database I am using (MS SQL Express) has a size limit of 4GB so instead of storing the files inside the database I have to drop the physical files inside folders on the web site.
I know there are web site download programs that will troll your site and grab every file it can.
I am worried about people outside the company AND even employees accessing files they should not see (as some of the files would only be viewable by some employees).
Is there a way I can block this from happening? We have a dedicated windows server so I can change IIS settings, etc if needed.
I'm looking for any ideas.
The database I am using (MS SQL Express) has a size limit of 4GB so instead of storing the files inside the database I have to drop the physical files inside folders on the web site.
I know there are web site download programs that will troll your site and grab every file it can.
I am worried about people outside the company AND even employees accessing files they should not see (as some of the files would only be viewable by some employees).
Is there a way I can block this from happening? We have a dedicated windows server so I can change IIS settings, etc if needed.
I'm looking for any ideas.
Last Comment
Other means of protection levels are to transport the files encrypted. You can do that over SSL, or you can even send the files encrypted (you can ZIP or RAR them) and send the user a password afterwards (automatically of course).
But that might be too much of a hassle to your users.
To prevent bots from accessing your files you can use other techniques. The easiest is to simply limit the amount of files to be downloaded per user (logged in user) and per IP address. Of course IP addresses can be spoofed and users can use other user's login credentials, but then we're talking of a professional coordinated attack.
Instead of limiting the per day or per hour amount of files, you can also make it impossible for direct access by requiring some computer-generated image to be read and typed over (forgot the term for a moment) which makes is much harder for bots and the extra action will prevent users from doing this tedious task for days by hand to get all your files.
Those were some of my ideas. Not sure if some is to your liking. If you need some pointers on how to go about implementing any of these ideas, just gimme a yell ;)
Cheers,
-- Abel --
But that might be too much of a hassle to your users.
To prevent bots from accessing your files you can use other techniques. The easiest is to simply limit the amount of files to be downloaded per user (logged in user) and per IP address. Of course IP addresses can be spoofed and users can use other user's login credentials, but then we're talking of a professional coordinated attack.
Instead of limiting the per day or per hour amount of files, you can also make it impossible for direct access by requiring some computer-generated image to be read and typed over (forgot the term for a moment) which makes is much harder for bots and the extra action will prevent users from doing this tedious task for days by hand to get all your files.
Those were some of my ideas. Not sure if some is to your liking. If you need some pointers on how to go about implementing any of these ideas, just gimme a yell ;)
Cheers,
-- Abel --
and yet another method....
don't store the files in the webroot. Store them in a folder above it, and utilize ADO.Stream to force the users to download them... lemme know, and I'll provide the code for the downlaoding...
don't store the files in the webroot. Store them in a folder above it, and utilize ADO.Stream to force the users to download them... lemme know, and I'll provide the code for the downlaoding...
ASKER
kevp75, interesting. Yes, let me see the code so I can test it.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
glad I could help and thanks for the grade!
ASP
Active Server Pages (ASP) is Microsoft’s first server-side engine for dynamic web pages. ASP’s support of the Component Object Model (COM) enables it to access and use compiled libraries such as DLLs. It has been superseded by ASP.NET, but will be supported by Internet Information Services (IIS) through at least 2022.
82K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
For instance, suppose you have the files in the file system and you just map the directory in IIS to give direct access. That way only normal HTTP-level security (basic auth and challenge / response auth) is possible, which is easily hacked but can be just what you need.
If you have scripts doing the security for you, you can also use these scripts to allow / prevent access to these files. In that case, you'll have to hide them behind a proxy (for instance), so that the user sees a link relative to your site and you internally redirect that to the file.