Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Creating a file Manager

Posted on 2010-08-14
4
Medium Priority
?
525 Views
Last Modified: 2012-05-10
I'm creating a file manager for a client with classic asp. All files in the folder should only be accessible upon login. Each user has their own unique login id. It works fine until one day someone google search the file and manage to open the file directly from the google link. Is there anyway for me to prevent anyone who has the exact url link to download the file.
0
Comment
Question by:hannsmedia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 33435810
Just a thought... use a session variable to note that a login has been successful.  Then on every page (perhaps with an include) verify that session variable is set appropriately - if not, redirect to a login page.
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 33439757
I think the problem is even if you password protect your page, the actual file can be surfed to.  So one option is to update your robots.txt.  But that does not mean another bot will respect it.  A 2nd option will be to simply lock down the folder and give everybody the same password.  But that is not always easy to manage.  Check out AspUpload http://www.aspupload.com.   There is a also a download feature  http://www.aspupload.com/manual_misc.html#9_2 where you can place your files in a locked down folder and the com object can access the locked down folder as a user.  http://www.aspupload.com/manual_security.html  

It's not free, but for $200 it is cheaper then trying to recreate it on your own time.  If you are hosted on a shared service, check with your host, many hosts will already have this installed and ready to go.
0
 
LVL 28

Accepted Solution

by:
sybe earned 2000 total points
ID: 33443383
Put the files out of the www, so they are no directly accessible. For example in (a subdirectory of) the _private directory.

Filedownload is easy in pure ASP, no need for a costly component. See attached code. Create an asp-file "download.asp" which first checks the login of the users. If not logged in, redirect them to the login page. If logged in send the file.


Sub WriteFileToBrowser(ByVal sFilePath, ByVal sContentType, ByVal sDisplayName)
	Dim oStream, bBuffer, iFileSize, iChunk, i

	Response.Buffer = True
    Server.ScriptTimeout = 30000
    iChunk = 64000

	Set oStream = Server.CreateObject("ADODB.Stream")
	oStream.Type = 1
	oStream.Open
	oStream.LoadFromFile sFilePath
	iFileSize = oStream.Size

	Response.ContentType = sContentType
	Response.AddHeader "Content-Disposition", "filename=" & sDisplayName
    Response.AddHeader "Content-Length", oStream.Size

	For i = 1 To iFileSize \ iChunk
        If Not Response.IsClientConnected Then Exit For
        Response.BinaryWrite oStream.Read(iChunk)
    Next

    If iFileSize Mod iChunk > 0 Then
        If Response.IsClientConnected Then
            Response.BinaryWrite oStream.Read(iFileSize Mod iChunk)
        End If
	End If
	oStream.Close
	Set oStream = Nothing
End Sub

Open in new window

0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 33445186
sybe, I tried your code with the following:
<%
WriteFileToBrowser "D:\inetpub\wwwroot\hidden\myimage.jpg", "image/jpg","renameimage.jpg"
%>
Works great.  I like the ability to change the image name too.   However, if the site is on a shared server, it is possible that you do not have access to a folder outside of the www directory.  If that is the case, it is still possible that the "hidden" directory can be cached by a search engine.  So if there is a way to add to your code a way to impersonate permissions from something other then "everyone" and remove read permissions from "everyone", that would make your solution work for those types of shared servers that cna't access outside the www folder.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question