Display PDF from database without caching

Discussion in 'ASP General' started by rolfejr@gmail.com, Sep 29, 2006.

  1. Guest

    I am trying to display a PDF in the users browser that is pulled from a
    binary field in our database, and keep that PDF from caching on the
    client computer. I can successfully pull the PDF and display it using
    the following code:

    Response.ContentType = "application/pdf"
    Response.BinaryWrite objRS("Attachment")

    where objRS("Attachment") is a reference to the binary field retrieved
    from the database. However, I have tried adding virtually every header
    known to have anything to do with caching, and I cannot seem to prevent
    the PDF from caching in the client's browser. So then I tried to use
    the adodb.stream object, as follows:

    set objStream=server.createObject("ADODB.Stream")
    objStream.Open
    objStream.Type=1 'adTypeBinary
    objStream.write objRS.fields("Attachment").value

    Response.ContentType = "application/pdf"
    Response.BinaryWrite objStream.Read()

    This follows, more or less, several examples I've found on the web,
    although most examples are reading a file into the stream, not a binary
    field returned from a database. This code gives me the following
    error:

    Response object, ASP 0106 (0x80020005)
    An unhandled data type was encountered.

    I'm looking for a way to make the stream work, or any other suggestions
    on how to display the pdf to the client without it caching in their
    browser.
    , Sep 29, 2006
    #1
    1. Advertising

  2. <> wrote in message
    news:...
    > I am trying to display a PDF in the users browser that is pulled from a
    > binary field in our database, and keep that PDF from caching on the
    > client computer. I can successfully pull the PDF and display it using
    > the following code:
    >
    > Response.ContentType = "application/pdf"
    > Response.BinaryWrite objRS("Attachment")
    >
    > where objRS("Attachment") is a reference to the binary field retrieved
    > from the database. However, I have tried adding virtually every header
    > known to have anything to do with caching, and I cannot seem to prevent
    > the PDF from caching in the client's browser. So then I tried to use
    > the adodb.stream object, as follows:
    >
    > set objStream=server.createObject("ADODB.Stream")
    > objStream.Open
    > objStream.Type=1 'adTypeBinary
    > objStream.write objRS.fields("Attachment").value
    >
    > Response.ContentType = "application/pdf"
    > Response.BinaryWrite objStream.Read()
    >
    > This follows, more or less, several examples I've found on the web,
    > although most examples are reading a file into the stream, not a binary
    > field returned from a database. This code gives me the following
    > error:
    >
    > Response object, ASP 0106 (0x80020005)
    > An unhandled data type was encountered.
    >
    > I'm looking for a way to make the stream work, or any other suggestions
    > on how to display the pdf to the client without it caching in their
    > browser.
    >


    You can't prevent the caching of the PDF on the client by modifying how the
    PDF is streamed. At the end of the day the client sees the exact same
    sequence of bytes.

    What did you try in the headers. The following should prevent a cache from
    re-using the content:-

    Response.Expires = 0
    Response.CacheControl = "private; max-age=0; no-cache"

    You could also go with:-

    Response.CacheControl = "private; max-age=0; no-store"

    Also you could use a negative number for expires to make sure that a slow
    clock on the client doesn't result in the content being cached. Browsers
    using HTTP 1.1 will favor Cache-Control over Expiry date anyway.

    How are you determining that a cache version is being re-used. The back
    button on a browser for example may not be affected by any of these HTTP
    headers.
    Anthony Jones, Sep 29, 2006
    #2
    1. Advertising

  3. Guest

    I have tried the following headers:
    response.addheader "Expires","Mon, 26 Jul 1997 05:00:00 GMT"
    response.addheader "Cache-Control","no-store, no-cache,
    must-revalidate"
    response.addheader "Cache-Control","post-check=0, pre-check=0',
    FALSE"
    Response.AddHeader "Pragma", "no-cache"
    Response.CacheControl="no-cache"
    Response.expires=-1

    I've tried various combinations of these as well. The way I am
    determining whether or not it is cached is by clearing my cache,
    loading the page, and looking at the cache - the PDF is there in the
    cache still there. I'm not so concerned about the browser showing a
    cached version instead of the latest version, I'm more concerned with
    privacy. These PDF's contain sensitive information. I am worried
    about someone viewing the PDF in their browser, then someone else
    walking up to their computer and getting the PDF from their cache.
    That's why I was wondering if by streaming the PDF if I could keep it
    from saving an actual PDF file in their cache folder.

    The interesting thing is that there are two pages involved - the first
    is gerenated HTML that shows the list of available PDF's from the
    database. I have successfully been able to prevent this page from
    being cached with the following meta tags:
    <meta http-equiv="Pragma" content="no-cache">
    <meta http-equiv="Cache-Control" content="no-cache">
    <meta http-equiv="Expires" content="-1"

    I have also added a cache-control:no-cache header using IIS on this
    specific page (actually, all pages in this directory. The user clicks
    one of the PDF links, and in a new window it opens the ASP page that is
    application.pdf content type in a new browser window. Obviously I
    can't put meta tags on this page, because it is not HTML - it's the
    binary PDF, so I am stuck with HTTP headers. I will keep
    experimenting, using your specific examples below and see what happens.


    Anthony Jones wrote:
    > You can't prevent the caching of the PDF on the client by modifying how the
    > PDF is streamed. At the end of the day the client sees the exact same
    > sequence of bytes.
    >
    > What did you try in the headers. The following should prevent a cache from
    > re-using the content:-
    >
    > Response.Expires = 0
    > Response.CacheControl = "private; max-age=0; no-cache"
    >
    > You could also go with:-
    >
    > Response.CacheControl = "private; max-age=0; no-store"
    >
    > Also you could use a negative number for expires to make sure that a slow
    > clock on the client doesn't result in the content being cached. Browsers
    > using HTTP 1.1 will favor Cache-Control over Expiry date anyway.
    >
    > How are you determining that a cache version is being re-used. The back
    > button on a browser for example may not be affected by any of these HTTP
    > headers.
    , Sep 29, 2006
    #3
  4. Guest

    One other thing that is strange - if I look at my cache using internet
    explorer (tools -> options -> (general tab, settings button under
    Temporary Internet Files section) -> View Files, then the PDF is not
    there. The same thing is you navigate to C:\Documents and
    Settings\username\Local Settings\Temporary Internet Files. However,
    this is a special folder, and the actual files are stored in various
    subdirectories in a content.ie5 subdirectory to the folder Temporary
    Internet Files - windows just doesn't show it to you. So instead if
    you navigate to \\computername\c$\documents and settings\username\local
    settings\temporary internet files\content.ie5\ (windows no longer
    treats it as a special folder) and search all files in this directory
    and subdirectory, then you will find the PDF. Maybe I am just dealing
    with the fact that this is just how internet explorer works, and there
    is no way to prevent the actual file from existing on the client
    computer?
    , Sep 29, 2006
    #4
  5. Guest

    By the way, I have the same problem with firefox - the cache is a
    little more cryptic as there is no file extension, but nevertheless,
    the file is still there, and is easily renamed and accessed.
    , Sep 29, 2006
    #5
  6. Mike Brind Guest

    wrote:
    > I have tried the following headers:
    > response.addheader "Expires","Mon, 26 Jul 1997 05:00:00 GMT"
    > response.addheader "Cache-Control","no-store, no-cache,
    > must-revalidate"
    > response.addheader "Cache-Control","post-check=0, pre-check=0',
    > FALSE"
    > Response.AddHeader "Pragma", "no-cache"
    > Response.CacheControl="no-cache"
    > Response.expires=-1
    >
    > I've tried various combinations of these as well. The way I am
    > determining whether or not it is cached is by clearing my cache,
    > loading the page, and looking at the cache - the PDF is there in the
    > cache still there. I'm not so concerned about the browser showing a
    > cached version instead of the latest version, I'm more concerned with
    > privacy. These PDF's contain sensitive information. I am worried
    > about someone viewing the PDF in their browser, then someone else
    > walking up to their computer and getting the PDF from their cache.


    How will you prevent the user from hitting the "Save" button on their
    browser/reader and saving a local copy of the file?

    --
    Mike Brind
    Mike Brind, Sep 29, 2006
    #6
  7. Mike Brind wrote:
    >> These PDF's contain sensitive information. I am worried about
    >> someone viewing the PDF in their browser, then someone else
    >> walking up to their computer and getting the PDF from their
    >> cache.

    >
    > How will you prevent the user from hitting the "Save" button
    > on their browser/reader and saving a local copy of the file?


    Those are separate issues. Many of us work in environments where such
    behavior is covered under regulatory guidelines, such as HIPAA. There can be
    legitimate handling of sensitive data that involves saving files.

    In any case, the OP is making an effort to safeguard that information when
    the user is following his/her protection guidelines. Your question is
    irrelevant.



    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms.
    Dave Anderson, Sep 29, 2006
    #7
  8. Mike Brind Guest

    Dave Anderson wrote:
    > Mike Brind wrote:
    > >> These PDF's contain sensitive information. I am worried about
    > >> someone viewing the PDF in their browser, then someone else
    > >> walking up to their computer and getting the PDF from their
    > >> cache.

    > >
    > > How will you prevent the user from hitting the "Save" button
    > > on their browser/reader and saving a local copy of the file?

    >
    > Those are separate issues. Many of us work in environments where such
    > behavior is covered under regulatory guidelines, such as HIPAA. There can be
    > legitimate handling of sensitive data that involves saving files.
    >
    > In any case, the OP is making an effort to safeguard that information when
    > the user is following his/her protection guidelines. Your question is
    > irrelevant.
    >


    Huh? Irrelevant to what? Of course I realise it's a separate issue to
    the OP's problem, but it's one I am interested in knowing the answer
    to. Hence I asked the question. That's what other people are allowed
    to do here. And before you say it, yes, I also realise, strictly
    speaking, it's OT for this group. But then so are all the html/css etc
    questions that get answered.

    Sod it... I withdraw the question.

    --
    Mike Brind
    Mike Brind, Sep 30, 2006
    #8
  9. <> wrote in message
    news:...
    > I have tried the following headers:
    > response.addheader "Expires","Mon, 26 Jul 1997 05:00:00 GMT"
    > response.addheader "Cache-Control","no-store, no-cache,
    > must-revalidate"
    > response.addheader "Cache-Control","post-check=0, pre-check=0',
    > FALSE"
    > Response.AddHeader "Pragma", "no-cache"
    > Response.CacheControl="no-cache"
    > Response.expires=-1
    >


    Rather than mucking about with various headers lets just use the correct
    headers for your requirement.

    You want to attempt to stop the file from being cached at all. This could
    be a problem for PDFs.

    The correct code to acheive this is:-

    Response.CacheControl = "private; no-store"

    This informs all proxies between the origin server and the client not to
    store a copy of the resource. It also tells the client that it should not
    keep a copy of the resource. (no-cache actually means keep a copy if you
    want but always check back with the origin server before using it)

    The problem with this, at least with IE and PDFs, is that the implementation
    doesn't appear to be able to handle rendering a PDF stream directly, it
    needs to map the stream in to a file so despite the http headers saying
    otherwise it is stored anyway. Why it isn't deleted after it has been
    finished with I don't know it ought to be possible.



    > I've tried various combinations of these as well. The way I am
    > determining whether or not it is cached is by clearing my cache,
    > loading the page, and looking at the cache - the PDF is there in the
    > cache still there. I'm not so concerned about the browser showing a
    > cached version instead of the latest version, I'm more concerned with
    > privacy. These PDF's contain sensitive information. I am worried
    > about someone viewing the PDF in their browser, then someone else
    > walking up to their computer and getting the PDF from their cache.
    > That's why I was wondering if by streaming the PDF if I could keep it
    > from saving an actual PDF file in their cache folder.
    >
    > The interesting thing is that there are two pages involved - the first
    > is gerenated HTML that shows the list of available PDF's from the
    > database. I have successfully been able to prevent this page from
    > being cached with the following meta tags:
    > <meta http-equiv="Pragma" content="no-cache">
    > <meta http-equiv="Cache-Control" content="no-cache">
    > <meta http-equiv="Expires" content="-1"
    >
    > I have also added a cache-control:no-cache header using IIS on this
    > specific page (actually, all pages in this directory. The user clicks
    > one of the PDF links, and in a new window it opens the ASP page that is
    > application.pdf content type in a new browser window. Obviously I
    > can't put meta tags on this page, because it is not HTML - it's the
    > binary PDF, so I am stuck with HTTP headers. I will keep
    > experimenting, using your specific examples below and see what happens.
    >
    >
    > Anthony Jones wrote:
    > > You can't prevent the caching of the PDF on the client by modifying how

    the
    > > PDF is streamed. At the end of the day the client sees the exact same
    > > sequence of bytes.
    > >
    > > What did you try in the headers. The following should prevent a cache

    from
    > > re-using the content:-
    > >
    > > Response.Expires = 0
    > > Response.CacheControl = "private; max-age=0; no-cache"
    > >
    > > You could also go with:-
    > >
    > > Response.CacheControl = "private; max-age=0; no-store"
    > >
    > > Also you could use a negative number for expires to make sure that a

    slow
    > > clock on the client doesn't result in the content being cached.

    Browsers
    > > using HTTP 1.1 will favor Cache-Control over Expiry date anyway.
    > >
    > > How are you determining that a cache version is being re-used. The back
    > > button on a browser for example may not be affected by any of these HTTP
    > > headers.

    >
    Anthony Jones, Oct 1, 2006
    #9
  10. Guest

    That's basically the conclusion that I had come to - there is a
    Microsoft support document (several, actually) on the problem of
    downloading PDF's over an SSL, but I'm not using SSL - actually, in
    this particular scenario, the client may or may not use SSL (inside
    the company they don't - outside they do). Anyway, I will experiment
    some more with the private; no-store heading - at least now I know the
    correct header - thanks.

    As to the question about how do you prevent a client from just saving
    the PDF - you don't, and as has been stated already, that is
    irrelevant. Of course someone can just save the PDF from their browser
    - that's not the concern. the concern is someone ELSE pulling from a
    users cache without their knowledge. Basically I am dealing with
    people's pay stubs in PDF form, so if they want to save it, fine - they
    can do whatever they want with it. I just don't want people pulling
    OTHER employees pay stubs from their internet caches - at home, at
    work, at the library, etc, etc.

    > Rather than mucking about with various headers lets just use the correct
    > headers for your requirement.
    >
    > You want to attempt to stop the file from being cached at all. This could
    > be a problem for PDFs.
    >
    > The correct code to acheive this is:-
    >
    > Response.CacheControl = "private; no-store"
    >
    > This informs all proxies between the origin server and the client not to
    > store a copy of the resource. It also tells the client that it should not
    > keep a copy of the resource. (no-cache actually means keep a copy if you
    > want but always check back with the origin server before using it)
    >
    > The problem with this, at least with IE and PDFs, is that the implementation
    > doesn't appear to be able to handle rendering a PDF stream directly, it
    > needs to map the stream in to a file so despite the http headers saying
    > otherwise it is stored anyway. Why it isn't deleted after it has been
    > finished with I don't know it ought to be possible.
    >
    , Oct 2, 2006
    #10
  11. <> wrote in message
    news:...
    > That's basically the conclusion that I had come to - there is a
    > Microsoft support document (several, actually) on the problem of
    > downloading PDF's over an SSL, but I'm not using SSL - actually, in
    > this particular scenario, the client may or may not use SSL (inside
    > the company they don't - outside they do). Anyway, I will experiment
    > some more with the private; no-store heading - at least now I know the
    > correct header - thanks.
    >
    > As to the question about how do you prevent a client from just saving
    > the PDF - you don't, and as has been stated already, that is
    > irrelevant. Of course someone can just save the PDF from their browser
    > - that's not the concern. the concern is someone ELSE pulling from a
    > users cache without their knowledge. Basically I am dealing with
    > people's pay stubs in PDF form, so if they want to save it, fine - they
    > can do whatever they want with it. I just don't want people pulling
    > OTHER employees pay stubs from their internet caches - at home, at
    > work, at the library, etc, etc.
    >


    Yeah um just don't do that then.

    > > Rather than mucking about with various headers lets just use the correct
    > > headers for your requirement.
    > >
    > > You want to attempt to stop the file from being cached at all. This

    could
    > > be a problem for PDFs.
    > >
    > > The correct code to acheive this is:-
    > >
    > > Response.CacheControl = "private; no-store"
    > >
    > > This informs all proxies between the origin server and the client not to
    > > store a copy of the resource. It also tells the client that it should

    not
    > > keep a copy of the resource. (no-cache actually means keep a copy if

    you
    > > want but always check back with the origin server before using it)
    > >
    > > The problem with this, at least with IE and PDFs, is that the

    implementation
    > > doesn't appear to be able to handle rendering a PDF stream directly, it
    > > needs to map the stream in to a file so despite the http headers saying
    > > otherwise it is stored anyway. Why it isn't deleted after it has been
    > > finished with I don't know it ought to be possible.
    > >

    >
    Anthony Jones, Oct 3, 2006
    #11
  12. Mike Brind Guest

    wrote:
    > That's basically the conclusion that I had come to - there is a
    > Microsoft support document (several, actually) on the problem of
    > downloading PDF's over an SSL, but I'm not using SSL - actually, in
    > this particular scenario, the client may or may not use SSL (inside
    > the company they don't - outside they do). Anyway, I will experiment
    > some more with the private; no-store heading - at least now I know the
    > correct header - thanks.
    >
    > As to the question about how do you prevent a client from just saving
    > the PDF - you don't, and as has been stated already, that is
    > irrelevant. Of course someone can just save the PDF from their browser
    > - that's not the concern. the concern is someone ELSE pulling from a
    > users cache without their knowledge. Basically I am dealing with
    > people's pay stubs in PDF form, so if they want to save it, fine - they
    > can do whatever they want with it. I just don't want people pulling
    > OTHER employees pay stubs from their internet caches - at home, at
    > work, at the library, etc, etc.
    >


    Is password-protecting the PDFs not an option?

    --
    Mike Brind
    Mike Brind, Oct 3, 2006
    #12
  13. Guest

    > Is password-protecting the PDFs not an option?

    I wish. The pdf's are stored in the database by third party software,
    so I have no control over how they are created. There may be some
    option of pulling them out, password protecting them, then putting them
    back in the database using some third-party pdf app, but I wouldn't
    really know where to begin there...
    , Oct 5, 2006
    #13
  14. Mike Brind Guest

    Persits ASPPdf allows you to open existing PDF documents and alter their
    security settings, including applying passwords.

    http://www.asppdf.com/manual_08.html

    You would probably have to create a temp copy of the PDF on the server,
    apply new security settings to that, then stream it and delete the temp
    file.

    The 30 day evaluation is definitely worth taking up. And no, I'm not on
    commission - I have found it to be a very good product :)

    --
    Mike Brind


    <> wrote in message
    news:...
    >> Is password-protecting the PDFs not an option?

    >
    > I wish. The pdf's are stored in the database by third party software,
    > so I have no control over how they are created. There may be some
    > option of pulling them out, password protecting them, then putting them
    > back in the database using some third-party pdf app, but I wouldn't
    > really know where to begin there...
    >
    Mike Brind, Oct 5, 2006
    #14
  15. Guest

    Thanks for the reference, I will definitely look into it.

    Mike Brind wrote:
    > Persits ASPPdf allows you to open existing PDF documents and alter their
    > security settings, including applying passwords.
    >
    > http://www.asppdf.com/manual_08.html
    >
    > You would probably have to create a temp copy of the PDF on the server,
    > apply new security settings to that, then stream it and delete the temp
    > file.
    >
    > The 30 day evaluation is definitely worth taking up. And no, I'm not on
    > commission - I have found it to be a very good product :)
    >
    > --
    > Mike Brind
    >
    >
    > <> wrote in message
    > news:...
    > >> Is password-protecting the PDFs not an option?

    > >
    > > I wish. The pdf's are stored in the database by third party software,
    > > so I have no control over how they are created. There may be some
    > > option of pulling them out, password protecting them, then putting them
    > > back in the database using some third-party pdf app, but I wouldn't
    > > really know where to begin there...
    > >
    , Oct 5, 2006
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?U1M=?=
    Replies:
    3
    Views:
    3,830
    Juan T. Llibre
    May 15, 2005
  2. JimLad
    Replies:
    3
    Views:
    912
    JimLad
    Jan 21, 2010
  3. Ricardo Pog
    Replies:
    1
    Views:
    420
    Austin Ziegler
    Mar 26, 2008
  4. Sean Nakasone
    Replies:
    1
    Views:
    360
    Farrel Lifson
    Apr 14, 2008
Loading...

Share This Page