protected download of files...

Discussion in 'ASP General' started by Matthew Moran, Sep 12, 2003.

  1. I am creating a series of downloadable articles, career
    tools, spreadsheets, etc. However, some of the content is
    for "registered" guest. The registrants are stored in a
    database and logon.

    I want to ensure that someone registered cannot simply
    pass someone the path to the files for download. However,
    I am not creating an actual system user name for the
    folders where the various documents exist.

    I don't want someone to logon, retrieve the path to a
    file, and be able to send that path or return to that path
    without having to logon.

    How do I accomplish this?

    Consider the following:
    serverroot/registeredcontentfolders would be protected by
    a single logon name - not accessible via anonymous
    access. User's logon to site and I auth them with their
    user name but on the server side, auth with the single
    account I am establishing for access to the protected
    folders.

    Any insight would be appreciated.

    Thanks,
    Matt
     
    Matthew Moran, Sep 12, 2003
    #1
    1. Advertising

  2. Matthew Moran

    Turkbear Guest

    On Fri, 12 Sep 2003 09:11:54 -0700, "Matthew Moran" <> wrote:

    >I am creating a series of downloadable articles, career
    >tools, spreadsheets, etc. However, some of the content is
    >for "registered" guest. The registrants are stored in a
    >database and logon.
    >
    >I want to ensure that someone registered cannot simply
    >pass someone the path to the files for download. However,
    >I am not creating an actual system user name for the
    >folders where the various documents exist.
    >
    >I don't want someone to logon, retrieve the path to a
    >file, and be able to send that path or return to that path
    >without having to logon.
    >
    >How do I accomplish this?
    >
    >Consider the following:
    >serverroot/registeredcontentfolders would be protected by
    >a single logon name - not accessible via anonymous
    >access. User's logon to site and I auth them with their
    >user name but on the server side, auth with the single
    >account I am establishing for access to the protected
    >folders.
    >
    >Any insight would be appreciated.
    >
    >Thanks,
    >Matt


    Place the 'restricted' downloads on a page that has the following code ( or some equivalent to it ) immediately after
    the BODY tag:

    <SCRIPT Language="JavaScript">
    if (document.referrer != "http://YourLogin_passwordform_page.asp") {
    location.href="http://Someplace_else.asp"
    }

    </SCRIPT>


    hth,
     
    Turkbear, Sep 12, 2003
    #2
    1. Advertising

  3. I have done this for several sites I have developed.

    What I have done is create a "download.asp" script which checks for the
    appropriate permissions, then uses FileSystemObject to read the file from
    disk Response.ContentType, Response.AddHeader, and Response.BinaryWrite to
    send the file to the browser.

    This script is moste effective when the folder which stores the downloadable
    files is outside the web structure, so there is no way that someone can get
    to the files other than through download.asp. (For example, on the site I
    was working on today, the client has the root folder for the domain at
    d:\iisdata\www.myserver.com\html, and all of the downloadable files are in
    d:\iisdata\www.myserver.com\downloads --since downloads is outside the web
    root, there's no way to get to it from a browser.)

    I have found added benefits by storing full names and paths to files in a
    database, and only use a short ID to retrieve the file in my script. For
    example, on the first site I developed using this method, I might have had a
    link like
    http://www.myserver.com/download.asp?filename=members/documents/othertools/glossary.doc.
    As I kept reusing the same code, I figured out that it was even more
    efficient to have a link like
    http://www.myserver.com/download.asp?FileID=107 --not only does this mask
    the full file name from the user, but it lets me easily flag files as
    "members only" or "general public" by adding a field in the database, and it
    eliminates problems I was having where people would try to publish documents
    with names like "Member Dues & Fees.xls" (includes spaces and an &, which
    were sometimes problematic for query strings!)

    Hope that helps you get started,
    Boris

    "Matthew Moran" <> wrote in message
    news:27d801c37948$9512a860$...
    > I am creating a series of downloadable articles, career
    > tools, spreadsheets, etc. However, some of the content is
    > for "registered" guest. The registrants are stored in a
    > database and logon.
    >
    > I want to ensure that someone registered cannot simply
    > pass someone the path to the files for download. However,
    > I am not creating an actual system user name for the
    > folders where the various documents exist.
    >
    > I don't want someone to logon, retrieve the path to a
    > file, and be able to send that path or return to that path
    > without having to logon.
    >
    > How do I accomplish this?
    >
    > Consider the following:
    > serverroot/registeredcontentfolders would be protected by
    > a single logon name - not accessible via anonymous
    > access. User's logon to site and I auth them with their
    > user name but on the server side, auth with the single
    > account I am establishing for access to the protected
    > folders.
    >
    > Any insight would be appreciated.
    >
    > Thanks,
    > Matt
     
    Boris Nikolaevich, Sep 13, 2003
    #3
  4. "Matthew Moran" <> wrote in message news:<27d801c37948$9512a860$>...
    > I am creating a series of downloadable articles, career
    > tools, spreadsheets, etc. However, some of the content is
    > for "registered" guest. The registrants are stored in a
    > database and logon.
    >
    > I want to ensure that someone registered cannot simply
    > pass someone the path to the files for download. However,
    > I am not creating an actual system user name for the
    > folders where the various documents exist.
    >
    > I don't want someone to logon, retrieve the path to a
    > file, and be able to send that path or return to that path
    > without having to logon.


    Matthew,

    This is a common task, and you should be able to implement a solution
    quickly. The best way to accomplish this is with an ASP download
    script that uses software such as SoftArtisans FileUp
    (http://fileup.softartisans.com). Using something such as FileUp to
    handle the streaming of files is more reliable, more feature-rich, and
    better performance-wise than just using the FileSystemObject (which
    doesn't deal with binary files correctly) to stream your downloads.

    -Chris
     
    Chris Baldwin, Sep 13, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andreas Klemt
    Replies:
    2
    Views:
    562
    Andreas Klemt
    Jul 5, 2003
  2. Garett Rogers
    Replies:
    1
    Views:
    282
    stefano mostarda
    Jul 5, 2004
  3. Paul Lynch
    Replies:
    1
    Views:
    409
    www.MSmobiles.com
    Jul 15, 2004
  4. PerlFAQ Server
    Replies:
    0
    Views:
    591
    PerlFAQ Server
    Feb 11, 2011
  5. PerlFAQ Server
    Replies:
    0
    Views:
    590
    PerlFAQ Server
    Mar 9, 2011
Loading...

Share This Page