Need general approach for hiding files

S

seguso

Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.

I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like

logs/log-xxxx.html

where xxxx is a user-id. (Each file logically belongs to a different
user).

I am developing a web site in asp.net which allows each user to see
his own log.

The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g.

http://localhost/WebSite/Docs/log-1234.html

Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.

What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?

Thanks a lot for any help,

Maurizio
 
J

Jon Paal [MSMD]

you have to compare user id to value in logfile address - no match, no access.
 
E

Eliyahu Goldin

Never expose actual path to sensitive data.

Instead of <a href="logs/log-xxxx.html">, use
<a href="showlog.aspx?id=xxxx">

Make a simple asp.net page showlog.aspx that will deliver the log by the
user id. The user won't know anything about the actual file location.

--
Eliyahu Goldin,
Software Developer & Consultant
Microsoft MVP [ASP.NET]
http://msmvps.com/blogs/egoldin
http://usableasp.net
 
S

seguso

you have to compare user id to value in logfile address - no match, no access.
Click to expand...

Thank you, but where should I do the comparison? When the user types
something in the browser's location bar, and presses ENTER, I don't
have a callback which can approve or discard the request...

Maurizio
 
J

Jon Paal [MSMD]

You could pass them through an intermediate page, do the check, then proceed.

see also suggestion by Eliyahu Goldin below.
 
H

Hans Kesting

Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.

I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like

logs/log-xxxx.html

where xxxx is a user-id. (Each file logically belongs to a different
user).

I am developing a web site in asp.net which allows each user to see
his own log.

The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g.

http://localhost/WebSite/Docs/log-1234.html

Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.

What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?

Thanks a lot for any help,

Maurizio
Click to expand...

Do not store those html files in the website, but just next to it.
This means that you can't have a direct link to it.
Add a "ViewLog.aspx" to your site, which
1) finds the id of the "current user",
2) builds the filename for his/her logfile,
3) uses Response.WriteFile to send that logfile to the browser.

Hans Kestin
 
B

bruce barker

map html files to asp.net in iis. then in your global.asa, in the
BeginRequest, do the user check. if fails, return a 401 response.

also you could encrypt the userid, so its hard to guess.


-- bruce (sqlwork.com)
 
S

seguso

map html files to asp.net in iis. then in your global.asa, in the
BeginRequest, do the user check. if fails, return a 401 response.

also you could encrypt the userid, so its hard to guess.
Click to expand...


Thank you very much Bruce. That's exactly what I was looking for.

Maurizio
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

I want to simulate social network activity. How to approach the problem? 1
I need help in understanding these files on my phone, Could someone help me understand these files? Urgent help needed. Please help. 1
I need help fixing my website 2
Need a Programmer in javascript 5
Need help with code on website (noob) 2
I need help making an html website 2
How do i edit the log file format for the "Geogebra Classic 6 Exam Mode"? 0
I need help making a zooming function 11

Members online

No members online now.
Total: 29 (members: 2, guests: 27)
Robots: 441

Forum statistics

Threads
473,769
Messages
2,569,580
Members
45,054
Latest member
TrimKetoBoost

Latest Threads

Top