File protection

[Greg]

I need to be able to secure files on my web server. I am using asp to
secure access to links and pages, for example:

<%If Session("manager")=FALSE Then%>
You are not authorized to view this page
<%Else%>
<<<Page Code>>>
<%End If%>

The place I'm running into problems is with files. I have a lot of
charts and such in PDF version. I kind of doubt there is a way to
secure these files with asp, but I thought it would be worth a try. My
biggest issue is that PDFs are stored in the browser's history, so once
the page has been accessed, anyone using the browser can get to that
unsecured PDF. As a brute force fix, is there some way to simply erase
the site from the browser history? If not, is there a way to secure
the PDF, or does someone know of a better group to post on? Thanks!

 

[Evertjan.]

Greg wrote on 18 apr 2006 in microsoft.public.inetserver.asp.general:

I need to be able to secure files on my web server. I am using asp to
secure access to links and pages, for example:

<%If Session("manager")=FALSE Then%>
You are not authorized to view this page
<%Else%>
<<<Page Code>>>
<%End If%>

The place I'm running into problems is with files. I have a lot of
charts and such in PDF version. I kind of doubt there is a way to
secure these files with asp, but I thought it would be worth a try. My
biggest issue is that PDFs are stored in the browser's history, so once
the page has been accessed, anyone using the browser can get to that
unsecured PDF. As a brute force fix, is there some way to simply erase
the site from the browser history? If not, is there a way to secure
the PDF, or does someone know of a better group to post on? Thanks!

You can try to start an .pdf or .jpg with:

<%If NOT Session("manager")="ok" Then server.transfer "/404.asp"%>

No Newline after the %> !!!

If the bitstream of the file contains no <% then this usually works

=================

Second option:

put the .pdf ot whatever in a directory outside the root,
or at least in a directory with a secret name.


Then send the file with:


<% ' myPdf.asp

If Session("manager")="ok" Then

pdf "/secretdirectoryQWERTYUIOP/myPdf.pdf"

function pdf(strFileName)
Response.Clear
strFilePath=server.mappath(strFilename)
Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = 1
objStream.LoadFromFile strFilePath
Response.ContentType = "application/pdf"
Response.BinaryWrite objStream.Read
objStream.Close
Set objStream = Nothing
Response.end
end function

end if

response.status = "404 Not Found" ' so searchbots will go away

%>
<html>
<body style='font-size:30pt;'>
No admittance! ;-(
</body>
</html>

 

[Kyle Peterson]

keep the files outside of the web or in a folder no ones knows the location
of
the stream the files to logged in users... whch wil keep the file locations
secret to everyone

www.aspin.com has some god examples on streaming from as code as well as a
lot of nice FREE asp login managers
www.aspprotect.com is a also good place to look if you are lokin for
something that can handle all of this for you including the streaming