Need general approach for hiding files

Discussion in 'ASP .Net' started by seguso, Jun 11, 2007.

  1. seguso

    seguso Guest

    Hello, I have a very simple problem I don't know how to approach. I
    need a suggestion about the general approach to take.

    I have a bunch of html pages on a machine, all in the same folder
    "logs". Each html page contains a log. The filenames look like

    logs/log-xxxx.html

    where xxxx is a user-id. (Each file logically belongs to a different
    user).

    I am developing a web site in asp.net which allows each user to see
    his own log.

    The obvious approach is to have a page where I dynamically create a
    link <a href="logs/log-xxxx.html">, where xxxx depends on the user
    authenticated in asp.net. This works: when the user clicks the link,
    the html opens in a new window. But, in the browser's location bar,
    the user sees the full path of the file, e.g.

    http://localhost/WebSite/Docs/log-1234.html

    Now, if he were to manually change the number on the location bar,
    either by mistake or intentionally, he would see the log of another
    user! This is not acceptable for privacy reasons.

    What is a general approach to solve this problem? I mean, allowing the
    user to only obtain his html file and not somebody else's. Have I to
    write a httphandler, or is there a simpler solution?

    Thanks a lot for any help,

    Maurizio
    seguso, Jun 11, 2007
    #1
    1. Advertising

  2. seguso

    Mark Rae Guest

    "seguso" <> wrote in message
    news:...

    > What is a general approach to solve this problem?


    Use a database...


    --
    http://www.markrae.net
    Mark Rae, Jun 11, 2007
    #2
    1. Advertising

  3. you have to compare user id to value in logfile address - no match, no access.


    "seguso" <> wrote in message news:...
    > Hello, I have a very simple problem I don't know how to approach. I
    > need a suggestion about the general approach to take.
    >
    > I have a bunch of html pages on a machine, all in the same folder
    > "logs". Each html page contains a log. The filenames look like
    >
    > logs/log-xxxx.html
    >
    > where xxxx is a user-id. (Each file logically belongs to a different
    > user).
    >
    > I am developing a web site in asp.net which allows each user to see
    > his own log.
    >
    > The obvious approach is to have a page where I dynamically create a
    > link <a href="logs/log-xxxx.html">, where xxxx depends on the user
    > authenticated in asp.net. This works: when the user clicks the link,
    > the html opens in a new window. But, in the browser's location bar,
    > the user sees the full path of the file, e.g.
    >
    > http://localhost/WebSite/Docs/log-1234.html
    >
    > Now, if he were to manually change the number on the location bar,
    > either by mistake or intentionally, he would see the log of another
    > user! This is not acceptable for privacy reasons.
    >
    > What is a general approach to solve this problem? I mean, allowing the
    > user to only obtain his html file and not somebody else's. Have I to
    > write a httphandler, or is there a simpler solution?
    >
    > Thanks a lot for any help,
    >
    > Maurizio
    >
    Jon Paal [MSMD], Jun 11, 2007
    #3
  4. Never expose actual path to sensitive data.

    Instead of <a href="logs/log-xxxx.html">, use
    <a href="showlog.aspx?id=xxxx">

    Make a simple asp.net page showlog.aspx that will deliver the log by the
    user id. The user won't know anything about the actual file location.

    --
    Eliyahu Goldin,
    Software Developer & Consultant
    Microsoft MVP [ASP.NET]
    http://msmvps.com/blogs/egoldin
    http://usableasp.net


    "seguso" <> wrote in message
    news:...
    > Hello, I have a very simple problem I don't know how to approach. I
    > need a suggestion about the general approach to take.
    >
    > I have a bunch of html pages on a machine, all in the same folder
    > "logs". Each html page contains a log. The filenames look like
    >
    > logs/log-xxxx.html
    >
    > where xxxx is a user-id. (Each file logically belongs to a different
    > user).
    >
    > I am developing a web site in asp.net which allows each user to see
    > his own log.
    >
    > The obvious approach is to have a page where I dynamically create a
    > link <a href="logs/log-xxxx.html">, where xxxx depends on the user
    > authenticated in asp.net. This works: when the user clicks the link,
    > the html opens in a new window. But, in the browser's location bar,
    > the user sees the full path of the file, e.g.
    >
    > http://localhost/WebSite/Docs/log-1234.html
    >
    > Now, if he were to manually change the number on the location bar,
    > either by mistake or intentionally, he would see the log of another
    > user! This is not acceptable for privacy reasons.
    >
    > What is a general approach to solve this problem? I mean, allowing the
    > user to only obtain his html file and not somebody else's. Have I to
    > write a httphandler, or is there a simpler solution?
    >
    > Thanks a lot for any help,
    >
    > Maurizio
    >
    Eliyahu Goldin, Jun 11, 2007
    #4
  5. seguso

    seguso Guest

    On 11 Giu, 16:11, "Jon Paal [MSMD]" <Jon[ nospam ]Paal @ everywhere
    dot com> wrote:
    > you have to compare user id to value in logfile address - no match, no access.
    >


    Thank you, but where should I do the comparison? When the user types
    something in the browser's location bar, and presses ENTER, I don't
    have a callback which can approve or discard the request...

    Maurizio
    seguso, Jun 11, 2007
    #5
  6. You could pass them through an intermediate page, do the check, then proceed.

    see also suggestion by Eliyahu Goldin below.


    "seguso" <> wrote in message news:...
    > On 11 Giu, 16:11, "Jon Paal [MSMD]" <Jon[ nospam ]Paal @ everywhere
    > dot com> wrote:
    >> you have to compare user id to value in logfile address - no match, no access.
    >>

    >
    > Thank you, but where should I do the comparison? When the user types
    > something in the browser's location bar, and presses ENTER, I don't
    > have a callback which can approve or discard the request...
    >
    > Maurizio
    >
    Jon Paal [MSMD], Jun 11, 2007
    #6
  7. seguso

    Hans Kesting Guest

    > Hello, I have a very simple problem I don't know how to approach. I
    > need a suggestion about the general approach to take.
    >
    > I have a bunch of html pages on a machine, all in the same folder
    > "logs". Each html page contains a log. The filenames look like
    >
    > logs/log-xxxx.html
    >
    > where xxxx is a user-id. (Each file logically belongs to a different
    > user).
    >
    > I am developing a web site in asp.net which allows each user to see
    > his own log.
    >
    > The obvious approach is to have a page where I dynamically create a
    > link <a href="logs/log-xxxx.html">, where xxxx depends on the user
    > authenticated in asp.net. This works: when the user clicks the link,
    > the html opens in a new window. But, in the browser's location bar,
    > the user sees the full path of the file, e.g.
    >
    > http://localhost/WebSite/Docs/log-1234.html
    >
    > Now, if he were to manually change the number on the location bar,
    > either by mistake or intentionally, he would see the log of another
    > user! This is not acceptable for privacy reasons.
    >
    > What is a general approach to solve this problem? I mean, allowing the
    > user to only obtain his html file and not somebody else's. Have I to
    > write a httphandler, or is there a simpler solution?
    >
    > Thanks a lot for any help,
    >
    > Maurizio
    >


    Do not store those html files in the website, but just next to it.
    This means that you can't have a direct link to it.
    Add a "ViewLog.aspx" to your site, which
    1) finds the id of the "current user",
    2) builds the filename for his/her logfile,
    3) uses Response.WriteFile to send that logfile to the browser.

    Hans Kestin
    Hans Kesting, Jun 11, 2007
    #7
  8. seguso

    bruce barker Guest

    map html files to asp.net in iis. then in your global.asa, in the
    BeginRequest, do the user check. if fails, return a 401 response.

    also you could encrypt the userid, so its hard to guess.


    -- bruce (sqlwork.com)

    seguso wrote:
    > Hello, I have a very simple problem I don't know how to approach. I
    > need a suggestion about the general approach to take.
    >
    > I have a bunch of html pages on a machine, all in the same folder
    > "logs". Each html page contains a log. The filenames look like
    >
    > logs/log-xxxx.html
    >
    > where xxxx is a user-id. (Each file logically belongs to a different
    > user).
    >
    > I am developing a web site in asp.net which allows each user to see
    > his own log.
    >
    > The obvious approach is to have a page where I dynamically create a
    > link <a href="logs/log-xxxx.html">, where xxxx depends on the user
    > authenticated in asp.net. This works: when the user clicks the link,
    > the html opens in a new window. But, in the browser's location bar,
    > the user sees the full path of the file, e.g.
    >
    > http://localhost/WebSite/Docs/log-1234.html
    >
    > Now, if he were to manually change the number on the location bar,
    > either by mistake or intentionally, he would see the log of another
    > user! This is not acceptable for privacy reasons.
    >
    > What is a general approach to solve this problem? I mean, allowing the
    > user to only obtain his html file and not somebody else's. Have I to
    > write a httphandler, or is there a simpler solution?
    >
    > Thanks a lot for any help,
    >
    > Maurizio
    >
    bruce barker, Jun 11, 2007
    #8
  9. seguso

    seguso Guest

    Thank you very much everybody. :)

    Maurizio
    seguso, Jun 11, 2007
    #9
  10. seguso

    seguso Guest

    On 11 Giu, 17:42, bruce barker <> wrote:
    > map html files to asp.net in iis. then in your global.asa, in the
    > BeginRequest, do the user check. if fails, return a 401 response.
    >
    > also you could encrypt the userid, so its hard to guess.



    Thank you very much Bruce. That's exactly what I was looking for.

    Maurizio
    seguso, Jun 12, 2007
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. IchBin
    Replies:
    10
    Views:
    604
    IchBin
    Apr 4, 2006
  2. Mudcat
    Replies:
    9
    Views:
    408
    Dennis Lee Bieber
    Mar 21, 2006
  3. Fredrik Jagenheim

    Need a ruby approach

    Fredrik Jagenheim, Sep 9, 2003, in forum: Ruby
    Replies:
    7
    Views:
    87
    Fredrik Jagenheim
    Sep 10, 2003
  4. Drew Olson

    General Approach to Data Validation

    Drew Olson, Feb 8, 2007, in forum: Ruby
    Replies:
    11
    Views:
    176
    Drew Olson
    Feb 9, 2007
  5. Ste
    Replies:
    41
    Views:
    776
    Thomas 'PointedEars' Lahn
    Aug 1, 2007
Loading...

Share This Page