Encrypt String or different approach

Discussion in 'ASP .Net Security' started by Gary Townsend (Spatial Mapping Ltd.), Nov 8, 2004.

  1. Good afternoon,

    I am building an application that uses ASP .NET, and Blackmoon FTP
    Server, My plan currently is to automate some user processes one of
    those processes is to allow them to download files in their FTP Root
    directories via HTTP for our clients who are behind firewalls which
    prevent them from using the FTP protocol.

    So to this end i have created a page which lists all thier files out,
    then provides a link that would spawn a new window which would initiate
    the transfer. Couple problems exist for me being that i have only been
    using ASP .NET for 2 weeks now my question is this.

    1) Is there possibly a better way to initiate the file transfer without
    spawning a new window

    2) if spawning a new window is the route i go is there a way to encrypt
    the string i send to the new page so that people can hack the file
    transfer page to download any files they want.

    Any suggestions on improving my approach to this problem are also welcome.


    Gary Townsend
    Systems and Web Developer
    Spatial Mapping Ltd.
    http://www.spatialmapping.com
    250 564 1928
    Gary Townsend (Spatial Mapping Ltd.), Nov 8, 2004
    #1
    1. Advertising

  2. By the way point to should read "so that people CAN NOT hack "
    Gary Townsend (Spatial Mapping Ltd.) wrote:

    > Good afternoon,
    >
    > I am building an application that uses ASP .NET, and Blackmoon FTP
    > Server, My plan currently is to automate some user processes one of
    > those processes is to allow them to download files in their FTP Root
    > directories via HTTP for our clients who are behind firewalls which
    > prevent them from using the FTP protocol.
    >
    > So to this end i have created a page which lists all thier files out,
    > then provides a link that would spawn a new window which would initiate
    > the transfer. Couple problems exist for me being that i have only been
    > using ASP .NET for 2 weeks now my question is this.
    >
    > 1) Is there possibly a better way to initiate the file transfer without
    > spawning a new window
    >
    > 2) if spawning a new window is the route i go is there a way to encrypt
    > the string i send to the new page so that people can hack the file
    > transfer page to download any files they want.
    >
    > Any suggestions on improving my approach to this problem are also welcome.
    >
    >
    > Gary Townsend
    > Systems and Web Developer
    > Spatial Mapping Ltd.
    > http://www.spatialmapping.com
    > 250 564 1928
    Gary Townsend (Spatial Mapping Ltd.), Nov 8, 2004
    #2
    1. Advertising

  3. Gary Townsend (Spatial Mapping Ltd.)

    Jeff Dillon Guest

    Don't use a GET (using a querystring), but rather a POST to the target page.
    The user then won't see any info in the address bar

    jeff

    "Gary Townsend (Spatial Mapping Ltd.)" <> wrote in
    message news:crNjd.127215$df2.85635@edtnps89...
    > Good afternoon,
    >
    > I am building an application that uses ASP .NET, and Blackmoon FTP
    > Server, My plan currently is to automate some user processes one of
    > those processes is to allow them to download files in their FTP Root
    > directories via HTTP for our clients who are behind firewalls which
    > prevent them from using the FTP protocol.
    >
    > So to this end i have created a page which lists all thier files out,
    > then provides a link that would spawn a new window which would initiate
    > the transfer. Couple problems exist for me being that i have only been
    > using ASP .NET for 2 weeks now my question is this.
    >
    > 1) Is there possibly a better way to initiate the file transfer without
    > spawning a new window
    >
    > 2) if spawning a new window is the route i go is there a way to encrypt
    > the string i send to the new page so that people can hack the file
    > transfer page to download any files they want.
    >
    > Any suggestions on improving my approach to this problem are also welcome.
    >
    >
    > Gary Townsend
    > Systems and Web Developer
    > Spatial Mapping Ltd.
    > http://www.spatialmapping.com
    > 250 564 1928
    Jeff Dillon, Nov 8, 2004
    #3
  4. Gary Townsend (Spatial Mapping Ltd.)

    Paul Ingles Guest

    > Don't use a GET (using a querystring), but rather a POST to the target
    > page.
    > The user then won't see any info in the address bar


    But it'd still be open by viewing the contents of the HTTP request.

    To answer the original questions:

    1) You could always use a URL Rewriter or something that would inspect the
    request, and transfer the location to the actual URL.

    2) Encrypting the string is a fairly sound approach in my opinion, but you
    need to ensure the key is kept securely. Have a look at the DPAPI articles
    on MSDN, they've got some good suggestions for that kind of thing.

    "Jeff Dillon" <> wrote in message
    news:...
    > Don't use a GET (using a querystring), but rather a POST to the target
    > page.
    > The user then won't see any info in the address bar
    >
    > jeff
    >
    > "Gary Townsend (Spatial Mapping Ltd.)" <> wrote in
    > message news:crNjd.127215$df2.85635@edtnps89...
    >> Good afternoon,
    >>
    >> I am building an application that uses ASP .NET, and Blackmoon FTP
    >> Server, My plan currently is to automate some user processes one of
    >> those processes is to allow them to download files in their FTP Root
    >> directories via HTTP for our clients who are behind firewalls which
    >> prevent them from using the FTP protocol.
    >>
    >> So to this end i have created a page which lists all thier files out,
    >> then provides a link that would spawn a new window which would initiate
    >> the transfer. Couple problems exist for me being that i have only been
    >> using ASP .NET for 2 weeks now my question is this.
    >>
    >> 1) Is there possibly a better way to initiate the file transfer without
    >> spawning a new window
    >>
    >> 2) if spawning a new window is the route i go is there a way to encrypt
    >> the string i send to the new page so that people can hack the file
    >> transfer page to download any files they want.
    >>
    >> Any suggestions on improving my approach to this problem are also
    >> welcome.
    >>
    >>
    >> Gary Townsend
    >> Systems and Web Developer
    >> Spatial Mapping Ltd.
    >> http://www.spatialmapping.com
    >> 250 564 1928

    >
    >
    Paul Ingles, Nov 9, 2004
    #4
  5. Gary Townsend (Spatial Mapping Ltd.)

    Jeff Dillon Guest

    Excuse me? In ASP? I don't think so...

    What do you mean by HTTP request? View Source on the page? You can't view
    ASP code. And SSL would encrypt the packets themselves, if that's what you
    mean.

    Jef
    "Paul Ingles" <> wrote in message
    news:...
    > > Don't use a GET (using a querystring), but rather a POST to the target
    > > page.
    > > The user then won't see any info in the address bar

    >
    > But it'd still be open by viewing the contents of the HTTP request.
    >
    > To answer the original questions:
    >
    > 1) You could always use a URL Rewriter or something that would inspect the
    > request, and transfer the location to the actual URL.
    >
    > 2) Encrypting the string is a fairly sound approach in my opinion, but you
    > need to ensure the key is kept securely. Have a look at the DPAPI articles
    > on MSDN, they've got some good suggestions for that kind of thing.
    >
    > "Jeff Dillon" <> wrote in message
    > news:...
    > > Don't use a GET (using a querystring), but rather a POST to the target
    > > page.
    > > The user then won't see any info in the address bar
    > >
    > > jeff
    > >
    > > "Gary Townsend (Spatial Mapping Ltd.)" <> wrote

    in
    > > message news:crNjd.127215$df2.85635@edtnps89...
    > >> Good afternoon,
    > >>
    > >> I am building an application that uses ASP .NET, and Blackmoon FTP
    > >> Server, My plan currently is to automate some user processes one of
    > >> those processes is to allow them to download files in their FTP Root
    > >> directories via HTTP for our clients who are behind firewalls which
    > >> prevent them from using the FTP protocol.
    > >>
    > >> So to this end i have created a page which lists all thier files out,
    > >> then provides a link that would spawn a new window which would

    initiate
    > >> the transfer. Couple problems exist for me being that i have only been
    > >> using ASP .NET for 2 weeks now my question is this.
    > >>
    > >> 1) Is there possibly a better way to initiate the file transfer without
    > >> spawning a new window
    > >>
    > >> 2) if spawning a new window is the route i go is there a way to encrypt
    > >> the string i send to the new page so that people can hack the file
    > >> transfer page to download any files they want.
    > >>
    > >> Any suggestions on improving my approach to this problem are also
    > >> welcome.
    > >>
    > >>
    > >> Gary Townsend
    > >> Systems and Web Developer
    > >> Spatial Mapping Ltd.
    > >> http://www.spatialmapping.com
    > >> 250 564 1928

    > >
    > >

    >
    >
    Jeff Dillon, Nov 9, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gary Townsend (Spatial Mapping Ltd.)

    Encrypt String or different approach

    Gary Townsend (Spatial Mapping Ltd.), Nov 8, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    422
    Jeff Dillon
    Nov 9, 2004
  2. sorCrer
    Replies:
    1
    Views:
    2,324
    Juan T. Llibre
    Jan 19, 2005
  3. kbutterly
    Replies:
    2
    Views:
    324
    kbutterly
    Jan 18, 2007
  4. Replies:
    10
    Views:
    529
    Mark Rae [MVP]
    Nov 6, 2007
  5. http://ejobseek.com

    Encrypt in Perl, De-encrypt in Javascript

    http://ejobseek.com, Sep 1, 2003, in forum: Perl Misc
    Replies:
    3
    Views:
    283
    James Willmore
    Sep 1, 2003
Loading...

Share This Page