Protect PDF files via ASP?

Discussion in 'ASP General' started by Brian Madden, Feb 25, 2005.

  1. Brian Madden

    Brian Madden Guest

    Hello All,

    I have what I thought would be a simple problem although I've been searching
    for a few hours with no luck.

    I have several PDF and MPG files I would like to provide to users to
    download via HTTP. I also have a database of user accounts. I would like to
    protect the PDF and MPG files so that users cannot "save target as" or "view
    source" to directly link to the files.

    My first thought is that I would have to remove anonymous access to these
    files and/or their parent folder within IIS. I was thinking that I could
    then create a Windows account called something like WebUsers and give it
    access to that folder. I'm hoping to write some ASP code that authenticates
    my users against my own database and, if successful, logs them into IIS via
    the WebUsers account (so that all my users share the same account).

    My problem is I cannot find an code or method or object to do this. Is there
    some simple function that I can use to pass a username, pw, and domain to
    IIS to authenticate the user that would then carry through for them to be
    able to download non-ASP (PDF, etc.) content?

    Or, am I completely thinking about this the wrong way? It seems to me that
    this is something that would be fairly common.

    Thanks,
    Brian
     
    Brian Madden, Feb 25, 2005
    #1
    1. Advertising

  2. Brian Madden

    Tim Williams Guest

    You can use an ADO Sttream object to do this: it reads the file from
    its location and streams it to the user.


    Tim.


    "Brian Madden" <> wrote in message
    news:%...
    > Hello All,
    >
    > I have what I thought would be a simple problem although I've been
    > searching for a few hours with no luck.
    >
    > I have several PDF and MPG files I would like to provide to users to
    > download via HTTP. I also have a database of user accounts. I would
    > like to protect the PDF and MPG files so that users cannot "save
    > target as" or "view source" to directly link to the files.
    >
    > My first thought is that I would have to remove anonymous access to
    > these files and/or their parent folder within IIS. I was thinking
    > that I could then create a Windows account called something like
    > WebUsers and give it access to that folder. I'm hoping to write some
    > ASP code that authenticates my users against my own database and, if
    > successful, logs them into IIS via the WebUsers account (so that all
    > my users share the same account).
    >
    > My problem is I cannot find an code or method or object to do this.
    > Is there some simple function that I can use to pass a username, pw,
    > and domain to IIS to authenticate the user that would then carry
    > through for them to be able to download non-ASP (PDF, etc.) content?
    >
    > Or, am I completely thinking about this the wrong way? It seems to
    > me that this is something that would be fairly common.
    >
    > Thanks,
    > Brian
    >
     
    Tim Williams, Feb 25, 2005
    #2
    1. Advertising

  3. "Brian Madden" <> wrote in message
    news:#...
    > Hello All,
    >
    > I have what I thought would be a simple problem although I've been

    searching
    > for a few hours with no luck.
    >
    > I have several PDF and MPG files I would like to provide to users to
    > download via HTTP. I also have a database of user accounts. I would like

    to
    > protect the PDF and MPG files so that users cannot "save target as" or

    "view
    > source" to directly link to the files.
    >
    > My first thought is that I would have to remove anonymous access to these
    > files and/or their parent folder within IIS. I was thinking that I could
    > then create a Windows account called something like WebUsers and give it
    > access to that folder. I'm hoping to write some ASP code that

    authenticates
    > my users against my own database and, if successful, logs them into IIS

    via
    > the WebUsers account (so that all my users share the same account).
    >
    > My problem is I cannot find an code or method or object to do this. Is

    there
    > some simple function that I can use to pass a username, pw, and domain to
    > IIS to authenticate the user that would then carry through for them to be
    > able to download non-ASP (PDF, etc.) content?
    >
    > Or, am I completely thinking about this the wrong way? It seems to me that
    > this is something that would be fairly common.


    To add to what Tim said ...

    Put the files outside of the wwwroot path so there is no direct URL access
    to them. In your ASP code, authenticate your users from your database and
    then as appropriate use ADODB.Stream to Response.BinaryWrite the contents of
    the PDF.

    Here's an example with jpg, just chnage the relevant bits for PDF:
    http://www.aspfaq.com/show.asp?id=2161

    --
    Tom Kaminski IIS MVP
    http://www.microsoft.com/windowsserver2003/community/centers/iis/
    http://mvp.support.microsoft.com/
    http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
     
    Tom Kaminski [MVP], Feb 25, 2005
    #3
  4. Brian Madden

    Brian Madden Guest

    Awesome guys, thanks a lot!

    Do any of you have any experience with "Coldlink?" It's a product that does
    dynamic URL rewriting that includes keys in the URL that are only valid for
    5 minutes. (It works as an asapi filter.) In my case I want my solution to
    be as "real" or "normal" as possible. I have people who will be downloading
    large video files from a conference, so each file could be several hundred
    megabytes.

    Thanks again.. I'll be checking this stuff out today.

    Brian


    "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
    news:e10$...
    > "Brian Madden" <> wrote in message
    > news:#...
    >> Hello All,
    >>
    >> I have what I thought would be a simple problem although I've been

    > searching
    >> for a few hours with no luck.
    >>
    >> I have several PDF and MPG files I would like to provide to users to
    >> download via HTTP. I also have a database of user accounts. I would like

    > to
    >> protect the PDF and MPG files so that users cannot "save target as" or

    > "view
    >> source" to directly link to the files.
    >>
    >> My first thought is that I would have to remove anonymous access to these
    >> files and/or their parent folder within IIS. I was thinking that I could
    >> then create a Windows account called something like WebUsers and give it
    >> access to that folder. I'm hoping to write some ASP code that

    > authenticates
    >> my users against my own database and, if successful, logs them into IIS

    > via
    >> the WebUsers account (so that all my users share the same account).
    >>
    >> My problem is I cannot find an code or method or object to do this. Is

    > there
    >> some simple function that I can use to pass a username, pw, and domain to
    >> IIS to authenticate the user that would then carry through for them to be
    >> able to download non-ASP (PDF, etc.) content?
    >>
    >> Or, am I completely thinking about this the wrong way? It seems to me
    >> that
    >> this is something that would be fairly common.

    >
    > To add to what Tim said ...
    >
    > Put the files outside of the wwwroot path so there is no direct URL access
    > to them. In your ASP code, authenticate your users from your database and
    > then as appropriate use ADODB.Stream to Response.BinaryWrite the contents
    > of
    > the PDF.
    >
    > Here's an example with jpg, just chnage the relevant bits for PDF:
    > http://www.aspfaq.com/show.asp?id=2161
    >
    > --
    > Tom Kaminski IIS MVP
    > http://www.microsoft.com/windowsserver2003/community/centers/iis/
    > http://mvp.support.microsoft.com/
    > http://www.iistoolshed.com/ - tools, scripts, and utilities for running
    > IIS
    >
    >
     
    Brian Madden, Feb 25, 2005
    #4
  5. Brian Madden

    Jeff Cochran Guest

    On Thu, 24 Feb 2005 22:37:39 -0500, "Brian Madden"
    <> wrote:

    >I have what I thought would be a simple problem although I've been searching
    >for a few hours with no luck.
    >
    >I have several PDF and MPG files I would like to provide to users to
    >download via HTTP. I also have a database of user accounts. I would like to
    >protect the PDF and MPG files so that users cannot "save target as" or "view
    >source" to directly link to the files.
    >
    >My first thought is that I would have to remove anonymous access to these
    >files and/or their parent folder within IIS. I was thinking that I could
    >then create a Windows account called something like WebUsers and give it
    >access to that folder. I'm hoping to write some ASP code that authenticates
    >my users against my own database and, if successful, logs them into IIS via
    >the WebUsers account (so that all my users share the same account).
    >
    >My problem is I cannot find an code or method or object to do this. Is there
    >some simple function that I can use to pass a username, pw, and domain to
    >IIS to authenticate the user that would then carry through for them to be
    >able to download non-ASP (PDF, etc.) content?
    >
    >Or, am I completely thinking about this the wrong way? It seems to me that
    >this is something that would be fairly common.


    To add to the others, this is also futile. If you want me to view a
    PDF or an MPG, it has to transfer to my system. Once there it's under
    my control, not yours. I can saved it and send it on.

    Of course, that only applies to the authorized users after you secure
    the files, but you can't truly control content on the internet.

    Jeff
     
    Jeff Cochran, Feb 25, 2005
    #5
  6. Brian Madden

    Brian Madden Guest

    Oh yeah, I totally hear what you're saying. Unless I get into the DRM for
    the MPEGs, I realize that anyone can do anything with the files. I think
    some people have the feeling that it's not "stealing" if they just link to
    the file on my site, even if it's a deep link to a private area. So by
    implementing the methods outlined here, at least people will be forced to
    actively get around it (by downloading, saving, and linking) as opposed to
    just an "innocent" link to the file on my site.

    Thanks again everyone,
    Brian

    "Jeff Cochran" <> wrote in message
    news:...
    > On Thu, 24 Feb 2005 22:37:39 -0500, "Brian Madden"
    > <> wrote:
    >
    >>I have what I thought would be a simple problem although I've been
    >>searching
    >>for a few hours with no luck.
    >>
    >>I have several PDF and MPG files I would like to provide to users to
    >>download via HTTP. I also have a database of user accounts. I would like
    >>to
    >>protect the PDF and MPG files so that users cannot "save target as" or
    >>"view
    >>source" to directly link to the files.
    >>
    >>My first thought is that I would have to remove anonymous access to these
    >>files and/or their parent folder within IIS. I was thinking that I could
    >>then create a Windows account called something like WebUsers and give it
    >>access to that folder. I'm hoping to write some ASP code that
    >>authenticates
    >>my users against my own database and, if successful, logs them into IIS
    >>via
    >>the WebUsers account (so that all my users share the same account).
    >>
    >>My problem is I cannot find an code or method or object to do this. Is
    >>there
    >>some simple function that I can use to pass a username, pw, and domain to
    >>IIS to authenticate the user that would then carry through for them to be
    >>able to download non-ASP (PDF, etc.) content?
    >>
    >>Or, am I completely thinking about this the wrong way? It seems to me that
    >>this is something that would be fairly common.

    >
    > To add to the others, this is also futile. If you want me to view a
    > PDF or an MPG, it has to transfer to my system. Once there it's under
    > my control, not yours. I can saved it and send it on.
    >
    > Of course, that only applies to the authorized users after you secure
    > the files, but you can't truly control content on the internet.
    >
    > Jeff
     
    Brian Madden, Feb 25, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MS News \(MS ILM\)
    Replies:
    1
    Views:
    429
    Scott Schluer
    Aug 19, 2003
  2. cjburkha

    Password protect .jpg or .pdf

    cjburkha, Jul 24, 2006, in forum: ASP .Net Security
    Replies:
    2
    Views:
    408
    cjburkha
    Jul 25, 2006
  3. Ricardo Pog
    Replies:
    1
    Views:
    492
    Austin Ziegler
    Mar 26, 2008
  4. Sean Nakasone
    Replies:
    1
    Views:
    431
    Farrel Lifson
    Apr 14, 2008
  5. Luuk
    Replies:
    0
    Views:
    404
Loading...

Share This Page