protected download of files...

[Matthew Moran]

I am creating a series of downloadable articles, career
tools, spreadsheets, etc. However, some of the content is
for "registered" guest. The registrants are stored in a
database and logon.

I want to ensure that someone registered cannot simply
pass someone the path to the files for download. However,
I am not creating an actual system user name for the
folders where the various documents exist.

I don't want someone to logon, retrieve the path to a
file, and be able to send that path or return to that path
without having to logon.

How do I accomplish this?

Consider the following:
serverroot/registeredcontentfolders would be protected by
a single logon name - not accessible via anonymous
access. User's logon to site and I auth them with their
user name but on the server side, auth with the single
account I am establishing for access to the protected
folders.

Any insight would be appreciated.

Thanks,
Matt

 

[Turkbear]

I am creating a series of downloadable articles, career
tools, spreadsheets, etc. However, some of the content is
for "registered" guest. The registrants are stored in a
database and logon.

I want to ensure that someone registered cannot simply
pass someone the path to the files for download. However,
I am not creating an actual system user name for the
folders where the various documents exist.

I don't want someone to logon, retrieve the path to a
file, and be able to send that path or return to that path
without having to logon.

How do I accomplish this?

Consider the following:
serverroot/registeredcontentfolders would be protected by
a single logon name - not accessible via anonymous
access. User's logon to site and I auth them with their
user name but on the server side, auth with the single
account I am establishing for access to the protected
folders.

Any insight would be appreciated.

Thanks,
Matt

Place the 'restricted' downloads on a page that has the following code ( or some equivalent to it ) immediately after
the BODY tag:

<SCRIPT Language="JavaScript">
if (document.referrer != "http://YourLogin_passwordform_page.asp") {
location.href="http://Someplace_else.asp"
}

</SCRIPT>


hth,

 

[Boris Nikolaevich]

I have done this for several sites I have developed.

What I have done is create a "download.asp" script which checks for the
appropriate permissions, then uses FileSystemObject to read the file from
disk Response.ContentType, Response.AddHeader, and Response.BinaryWrite to
send the file to the browser.

This script is moste effective when the folder which stores the downloadable
files is outside the web structure, so there is no way that someone can get
to the files other than through download.asp. (For example, on the site I
was working on today, the client has the root folder for the domain at
d:\iisdata\www.myserver.com\html, and all of the downloadable files are in
d:\iisdata\www.myserver.com\downloads --since downloads is outside the web
root, there's no way to get to it from a browser.)

I have found added benefits by storing full names and paths to files in a
database, and only use a short ID to retrieve the file in my script. For
example, on the first site I developed using this method, I might have had a
link like
http://www.myserver.com/download.asp?filename=members/documents/othertools/glossary.doc.
As I kept reusing the same code, I figured out that it was even more
efficient to have a link like
http://www.myserver.com/download.asp?FileID=107 --not only does this mask
the full file name from the user, but it lets me easily flag files as
"members only" or "general public" by adding a field in the database, and it
eliminates problems I was having where people would try to publish documents
with names like "Member Dues & Fees.xls" (includes spaces and an &, which
were sometimes problematic for query strings!)

Hope that helps you get started,
Boris

 

[Chris Baldwin]

I am creating a series of downloadable articles, career
tools, spreadsheets, etc. However, some of the content is
for "registered" guest. The registrants are stored in a
database and logon.

I want to ensure that someone registered cannot simply
pass someone the path to the files for download. However,
I am not creating an actual system user name for the
folders where the various documents exist.

I don't want someone to logon, retrieve the path to a
file, and be able to send that path or return to that path
without having to logon.

Matthew,

This is a common task, and you should be able to implement a solution
quickly. The best way to accomplish this is with an ASP download
script that uses software such as SoftArtisans FileUp
(http://fileup.softartisans.com). Using something such as FileUp to
handle the streaming of files is more reliable, more feature-rich, and
better performance-wise than just using the FileSystemObject (which
doesn't deal with binary files correctly) to stream your downloads.

-Chris