Securing uploaded documents

Discussion in 'ASP General' started by Dean g, Apr 28, 2010.

  1. Dean g

    Dean g Guest

    Hi,
    I need help stoping people from accessing documents on the
    server unless they are logged in through the website. I don't
    know how to do this without using a database or just manually
    added passwords to folders.

    I know its possible in .net, any help on how to do this in
    classic asp would be greatly appreciated.

    Regards,
    Dean



    *** Sent via Developersdex http://www.developersdex.com ***
    Dean g, Apr 28, 2010
    #1
    1. Advertising

  2. Dean g

    Bwig Zomberi Guest

    Dean g wrote:
    > Hi,
    > I need help stoping people from accessing documents on the
    > server unless they are logged in through the website. I don't
    > know how to do this without using a database or just manually
    > added passwords to folders.
    >
    > I know its possible in .net, any help on how to do this in
    > classic asp would be greatly appreciated.
    >
    > Regards,
    > Dean
    >
    >
    >
    > *** Sent via Developersdex http://www.developersdex.com ***



    After authenticating the user, read the file contents and then

    1. Use Response.ContentType to set mime type.

    2. Use Response.AddHeader to set file name
    Response.AddHeader "content-disposition","attachment;
    filename=fname.ext"

    3. Use Response.BinaryWrite to send the file to the browser.

    --
    Bwig Zomberi
    Bwig Zomberi, Apr 28, 2010
    #2
    1. Advertising

  3. Dean g

    Dean g Guest

    Dean g, May 4, 2010
    #3
  4. Dean g

    Dan Guest

    "Dean g" <> wrote in message
    news:...
    >
    > Thanks for the help Bwig


    Just a note though - if the file is large, you may have to send it out in
    chunks instead of all in one go. If you Google for "ado stream binarywrite"
    you'll find plenty of examples of how to do this in ASP.

    --
    Dan
    Dan, May 4, 2010
    #4
  5. Dean g

    Dean g Guest

    Thanks for the help guys, i have a new problem with this
    though hopefully you can help with.

    I can't get the documents to open in the browser, they
    automatically save. Ideally i would like to open the files in
    a popup window if thats possible.

    my code looks like this, the inline just ins't doing anything.

    Response.AddHeader "Content-Disposition","inline; filename="&
    file

    Regards,
    Dean g

    *** Sent via Developersdex http://www.developersdex.com ***
    Dean g, May 12, 2010
    #5
  6. Dean g

    Bwig Zomberi Guest

    Dean g wrote:
    > Thanks for the help guys, i have a new problem with this
    > though hopefully you can help with.
    >
    > I can't get the documents to open in the browser, they
    > automatically save.


    This depends on the browser setting. You may have prevented the show
    dialog box setting and set it for automatic save. Try with another
    browser or in another computer.

    > Ideally i would like to open the files in
    > a popup window if thats possible.



    In the link that connects to this ASP, use target="_blank".

    Omit the Response.AddHeader.

    Depending on the mime type and related-settings, the browser may display
    the contents in a new window. If browser is configured to load the
    content outside the browser in the native application, it may do so.


    >
    > my code looks like this, the inline just ins't doing anything.
    >
    > Response.AddHeader "Content-Disposition","inline; filename="&
    > file


    It provides a file name for the contents sent by the ASP page.
    Otherwise, you have to enter a name or the browser will give a name.

    --
    Bwig Zomberi
    Bwig Zomberi, May 12, 2010
    #6
  7. Dean g

    Dean g Guest

    Thanks again Bwig, i hadn't set the content type properly.

    Its working well now.



    *** Sent via Developersdex http://www.developersdex.com ***
    Dean g, May 13, 2010
    #7
  8. Dean g

    Bwig Zomberi Guest

    Dan wrote:
    >
    > "Dean g" <> wrote in message
    > news:...
    >>
    >> Thanks for the help Bwig

    >
    > Just a note though - if the file is large, you may have to send it out
    > in chunks instead of all in one go. If you Google for "ado stream
    > binarywrite" you'll find plenty of examples of how to do this in ASP.
    >


    Dan, I wanted to implement something like this. However, for very large
    file downloads and slow user connections, the script will have to be
    running for a long time. IIS will kill any request after some time. Do
    you or anyone else know how to avoid that?


    --
    Bwig Zomberi
    Bwig Zomberi, May 13, 2010
    #8
  9. Dean g

    Dan Guest

    "Bwig Zomberi" <> wrote in message
    news:hsgc15$adl$...
    > Dan wrote:
    >>
    >> "Dean g" <> wrote in message
    >> news:...
    >>>
    >>> Thanks for the help Bwig

    >>
    >> Just a note though - if the file is large, you may have to send it out
    >> in chunks instead of all in one go. If you Google for "ado stream
    >> binarywrite" you'll find plenty of examples of how to do this in ASP.
    >>

    >
    > Dan, I wanted to implement something like this. However, for very large
    > file downloads and slow user connections, the script will have to be
    > running for a long time. IIS will kill any request after some time. Do you
    > or anyone else know how to avoid that?


    Look at documentation for the Server.ScriptTimeout property :)

    --
    Dan
    Dan, May 13, 2010
    #9
  10. Dean g

    Bwig Zomberi Guest

    Dan wrote:
    >
    > "Bwig Zomberi" <> wrote in message
    > news:hsgc15$adl$...
    >> Dan wrote:
    >>>
    >>> "Dean g" <> wrote in message
    >>> news:...
    >>>>
    >>>> Thanks for the help Bwig
    >>>
    >>> Just a note though - if the file is large, you may have to send it out
    >>> in chunks instead of all in one go. If you Google for "ado stream
    >>> binarywrite" you'll find plenty of examples of how to do this in ASP.
    >>>

    >>
    >> Dan, I wanted to implement something like this. However, for very
    >> large file downloads and slow user connections, the script will have
    >> to be running for a long time. IIS will kill any request after some
    >> time. Do you or anyone else know how to avoid that?

    >
    > Look at documentation for the Server.ScriptTimeout property :)
    >


    No, Dan. There is a limit for that too. Imagine a 700 MB ISO file and
    the user is on dialup. It will take several hours. IIS will kill the
    request.

    --
    Bwig Zomberi
    Bwig Zomberi, May 13, 2010
    #10
  11. Dean g

    Dooza Guest

    On 13/05/2010 13:00, Bwig Zomberi wrote:
    > Dan wrote:
    >>
    >> "Bwig Zomberi" <> wrote in message
    >> news:hsgc15$adl$...
    >>> Dan wrote:
    >>>>
    >>>> "Dean g" <> wrote in message
    >>>> news:...
    >>>>>
    >>>>> Thanks for the help Bwig
    >>>>
    >>>> Just a note though - if the file is large, you may have to send it out
    >>>> in chunks instead of all in one go. If you Google for "ado stream
    >>>> binarywrite" you'll find plenty of examples of how to do this in ASP.
    >>>>
    >>>
    >>> Dan, I wanted to implement something like this. However, for very
    >>> large file downloads and slow user connections, the script will have
    >>> to be running for a long time. IIS will kill any request after some
    >>> time. Do you or anyone else know how to avoid that?

    >>
    >> Look at documentation for the Server.ScriptTimeout property :)
    >>

    >
    > No, Dan. There is a limit for that too. Imagine a 700 MB ISO file and
    > the user is on dialup. It will take several hours. IIS will kill the
    > request.


    Surely a protocol designed for larger files would be more appropriate?
    Like FTP maybe?

    Dooza
    Dooza, May 13, 2010
    #11
  12. Dean g

    Dan Guest

    "Bwig Zomberi" <> wrote in message
    news:hsgphs$uka$...
    > Dan wrote:
    >>
    >> "Bwig Zomberi" <> wrote in message
    >> news:hsgc15$adl$...
    >>> Dan wrote:
    >>>>
    >>>> "Dean g" <> wrote in message
    >>>> news:...
    >>>>>
    >>>>> Thanks for the help Bwig
    >>>>
    >>>> Just a note though - if the file is large, you may have to send it out
    >>>> in chunks instead of all in one go. If you Google for "ado stream
    >>>> binarywrite" you'll find plenty of examples of how to do this in ASP.
    >>>>
    >>>
    >>> Dan, I wanted to implement something like this. However, for very
    >>> large file downloads and slow user connections, the script will have
    >>> to be running for a long time. IIS will kill any request after some
    >>> time. Do you or anyone else know how to avoid that?

    >>
    >> Look at documentation for the Server.ScriptTimeout property :)
    >>

    >
    > No, Dan. There is a limit for that too. Imagine a 700 MB ISO file and the
    > user is on dialup. It will take several hours. IIS will kill the request.


    In that case, don't do it :p

    As Dooza points out, FTP is more appropriate for something like this.

    Any application you build will have limits - you just have to figure out
    what is feasible and use alternate means for anything that falls outside of
    the parameters you come up with.

    --
    Dan
    Dan, May 13, 2010
    #12
  13. Dean g

    Bwig Zomberi Guest

    Dooza wrote:
    > On 13/05/2010 13:00, Bwig Zomberi wrote:
    >> Dan wrote:
    >>>
    >>> "Bwig Zomberi" <> wrote in message
    >>> news:hsgc15$adl$...
    >>>> Dan wrote:
    >>>>>
    >>>>> "Dean g" <> wrote in message
    >>>>> news:...
    >>>>>>
    >>>>>> Thanks for the help Bwig
    >>>>>
    >>>>> Just a note though - if the file is large, you may have to send it out
    >>>>> in chunks instead of all in one go. If you Google for "ado stream
    >>>>> binarywrite" you'll find plenty of examples of how to do this in ASP.
    >>>>>
    >>>>
    >>>> Dan, I wanted to implement something like this. However, for very
    >>>> large file downloads and slow user connections, the script will have
    >>>> to be running for a long time. IIS will kill any request after some
    >>>> time. Do you or anyone else know how to avoid that?
    >>>
    >>> Look at documentation for the Server.ScriptTimeout property :)
    >>>

    >>
    >> No, Dan. There is a limit for that too. Imagine a 700 MB ISO file and
    >> the user is on dialup. It will take several hours. IIS will kill the
    >> request.

    >
    > Surely a protocol designed for larger files would be more appropriate?
    > Like FTP maybe?
    >


    FTP sends passwords unencrypted. SFTP is not available on all hosting
    servers.


    --
    Bwig Zomberi
    Bwig Zomberi, May 13, 2010
    #13
  14. Dean g

    Dan Guest

    "Bwig Zomberi" <> wrote in message
    news:hsgrhk$1qi$...
    > Dooza wrote:
    >> On 13/05/2010 13:00, Bwig Zomberi wrote:
    >>> Dan wrote:
    >>>>
    >>>> "Bwig Zomberi" <> wrote in message
    >>>> news:hsgc15$adl$...
    >>>>> Dan wrote:
    >>>>>>
    >>>>>> "Dean g" <> wrote in message
    >>>>>> news:...
    >>>>>>>
    >>>>>>> Thanks for the help Bwig
    >>>>>>
    >>>>>> Just a note though - if the file is large, you may have to send it
    >>>>>> out
    >>>>>> in chunks instead of all in one go. If you Google for "ado stream
    >>>>>> binarywrite" you'll find plenty of examples of how to do this in ASP.
    >>>>>>
    >>>>>
    >>>>> Dan, I wanted to implement something like this. However, for very
    >>>>> large file downloads and slow user connections, the script will have
    >>>>> to be running for a long time. IIS will kill any request after some
    >>>>> time. Do you or anyone else know how to avoid that?
    >>>>
    >>>> Look at documentation for the Server.ScriptTimeout property :)
    >>>>
    >>>
    >>> No, Dan. There is a limit for that too. Imagine a 700 MB ISO file and
    >>> the user is on dialup. It will take several hours. IIS will kill the
    >>> request.

    >>
    >> Surely a protocol designed for larger files would be more appropriate?
    >> Like FTP maybe?
    >>

    >
    > FTP sends passwords unencrypted. SFTP is not available on all hosting
    > servers.


    Either use anonymous FTP (if the files were going on an web site without
    authentication), or use a custom FTP system with a short term unique ID in
    the filename request to authenticate against an existing request via the
    authenticated web application. Or come up with some other custom
    authentication scheme.

    Hosting large files on a standard public hosting package is obviously not an
    appropriate use of said hosting. In many cases it'll likely be a violation
    of the hosting T&C anyway. If you have a VPS or dedicated server then you
    have a lot more flexibility and should be able to set up SFTP, FTP+SSL, or
    any of a number of options for hardening FTP (or any other
    application/protocol designed for handling large files).

    If you're going to pick holes in every suggestion provided we're going to be
    here indefinitely :p

    --
    Dan
    Dan, May 13, 2010
    #14
  15. Dean g

    Bwig Zomberi Guest

    Dan wrote:
    >
    > "Bwig Zomberi" <> wrote in message
    > news:hsgrhk$1qi$...
    >> Dooza wrote:
    >>> On 13/05/2010 13:00, Bwig Zomberi wrote:
    >>>> Dan wrote:
    >>>>>
    >>>>> "Bwig Zomberi" <> wrote in message
    >>>>> news:hsgc15$adl$...
    >>>>>> Dan wrote:
    >>>>>>>
    >>>>>>> "Dean g" <> wrote in message
    >>>>>>> news:...
    >>>>>>>>
    >>>>>>>> Thanks for the help Bwig
    >>>>>>>
    >>>>>>> Just a note though - if the file is large, you may have to send
    >>>>>>> it out
    >>>>>>> in chunks instead of all in one go. If you Google for "ado stream
    >>>>>>> binarywrite" you'll find plenty of examples of how to do this in
    >>>>>>> ASP.
    >>>>>>>
    >>>>>>
    >>>>>> Dan, I wanted to implement something like this. However, for very
    >>>>>> large file downloads and slow user connections, the script will have
    >>>>>> to be running for a long time. IIS will kill any request after some
    >>>>>> time. Do you or anyone else know how to avoid that?
    >>>>>
    >>>>> Look at documentation for the Server.ScriptTimeout property :)
    >>>>>
    >>>>
    >>>> No, Dan. There is a limit for that too. Imagine a 700 MB ISO file and
    >>>> the user is on dialup. It will take several hours. IIS will kill the
    >>>> request.
    >>>
    >>> Surely a protocol designed for larger files would be more appropriate?
    >>> Like FTP maybe?
    >>>

    >>
    >> FTP sends passwords unencrypted. SFTP is not available on all hosting
    >> servers.

    >
    > Either use anonymous FTP (if the files were going on an web site without
    > authentication), or use a custom FTP system with a short term unique ID
    > in the filename request to authenticate against an existing request via
    > the authenticated web application. Or come up with some other custom
    > authentication scheme.
    >
    > Hosting large files on a standard public hosting package is obviously
    > not an appropriate use of said hosting. In many cases it'll likely be a
    > violation of the hosting T&C anyway. If you have a VPS or dedicated
    > server then you have a lot more flexibility and should be able to set up
    > SFTP, FTP+SSL, or any of a number of options for hardening FTP (or any
    > other application/protocol designed for handling large files).
    >
    > If you're going to pick holes in every suggestion provided we're going
    > to be here indefinitely :p
    >


    I just needed a second opinion that I have done everything that can be
    done with a script. I am not picking holes. I had already tried
    everything you had suggested when I was faced with same problem as the
    OP. I provided the solution to the OP based on that experience.

    The files I handle are less than 70 MB and they are on a shared hosting
    server. However, I did not go for the ASP download solution because of
    slow downloaders. Currently, http folder passwords are used. This is
    also unsatisfactory, credentials are sent as plain text.


    --
    Bwig Zomberi
    Bwig Zomberi, May 13, 2010
    #15
  16. Dean g

    Dan Guest

    "Bwig Zomberi" <> wrote in message
    news:hshdse$ufq$...
    > Dan wrote:
    >>
    >> "Bwig Zomberi" <> wrote in message
    >> news:hsgrhk$1qi$...
    >>> Dooza wrote:
    >>>> On 13/05/2010 13:00, Bwig Zomberi wrote:
    >>>>> Dan wrote:
    >>>>>>
    >>>>>> "Bwig Zomberi" <> wrote in message
    >>>>>> news:hsgc15$adl$...
    >>>>>>> Dan wrote:
    >>>>>>>>
    >>>>>>>> "Dean g" <> wrote in message
    >>>>>>>> news:...
    >>>>>>>>>
    >>>>>>>>> Thanks for the help Bwig
    >>>>>>>>
    >>>>>>>> Just a note though - if the file is large, you may have to send
    >>>>>>>> it out
    >>>>>>>> in chunks instead of all in one go. If you Google for "ado stream
    >>>>>>>> binarywrite" you'll find plenty of examples of how to do this in
    >>>>>>>> ASP.
    >>>>>>>>
    >>>>>>>
    >>>>>>> Dan, I wanted to implement something like this. However, for very
    >>>>>>> large file downloads and slow user connections, the script will have
    >>>>>>> to be running for a long time. IIS will kill any request after some
    >>>>>>> time. Do you or anyone else know how to avoid that?
    >>>>>>
    >>>>>> Look at documentation for the Server.ScriptTimeout property :)
    >>>>>>
    >>>>>
    >>>>> No, Dan. There is a limit for that too. Imagine a 700 MB ISO file and
    >>>>> the user is on dialup. It will take several hours. IIS will kill the
    >>>>> request.
    >>>>
    >>>> Surely a protocol designed for larger files would be more appropriate?
    >>>> Like FTP maybe?
    >>>>
    >>>
    >>> FTP sends passwords unencrypted. SFTP is not available on all hosting
    >>> servers.

    >>
    >> Either use anonymous FTP (if the files were going on an web site without
    >> authentication), or use a custom FTP system with a short term unique ID
    >> in the filename request to authenticate against an existing request via
    >> the authenticated web application. Or come up with some other custom
    >> authentication scheme.
    >>
    >> Hosting large files on a standard public hosting package is obviously
    >> not an appropriate use of said hosting. In many cases it'll likely be a
    >> violation of the hosting T&C anyway. If you have a VPS or dedicated
    >> server then you have a lot more flexibility and should be able to set up
    >> SFTP, FTP+SSL, or any of a number of options for hardening FTP (or any
    >> other application/protocol designed for handling large files).
    >>
    >> If you're going to pick holes in every suggestion provided we're going
    >> to be here indefinitely :p
    >>

    >
    > I just needed a second opinion that I have done everything that can be
    > done with a script. I am not picking holes. I had already tried everything
    > you had suggested when I was faced with same problem as the OP. I provided
    > the solution to the OP based on that experience.
    >
    > The files I handle are less than 70 MB and they are on a shared hosting
    > server. However, I did not go for the ASP download solution because of
    > slow downloaders. Currently, http folder passwords are used. This is also
    > unsatisfactory, credentials are sent as plain text.
    >


    For the latter issue, you will either need to look into SSL (which is often
    difficult with shared hosting as it requires a dedicated IP address for the
    site, or a SAN certificate covering all required virtual servers on a single
    IP), or NTLM/Integrated Authentication (which IIRC doesn't work if there are
    proxy servers involved between the browser and server).

    --
    Dan
    Dan, May 14, 2010
    #16
  17. Dean g

    Dean g Guest

    Hey guys,
    I have a new problem hopefully you can help with. Do you know
    how to detect the mime type of the file on the server? some of
    my pdf files aren't getting recognized as pdf's and filling
    the page with garbage.

    i Think i need to determine the appropriate MIME type from
    binary data, but don't really have a clue where to start.



    *** Sent via Developersdex http://www.developersdex.com ***
    Dean g, May 17, 2010
    #17
  18. Dean g

    Bwig Zomberi Guest

    Dean g wrote:
    > Hey guys,
    > I have a new problem hopefully you can help with. Do you know
    > how to detect the mime type of the file on the server? some of
    > my pdf files aren't getting recognized as pdf's and filling
    > the page with garbage.
    >
    > i Think i need to determine the appropriate MIME type from
    > binary data, but don't really have a clue where to start.



    Check the extension of the file. If it is "PDF" or "pdf", then set the
    mime type to "application/pdf".

    Response.ContentType = "application/pdf"

    A list of popular mime types:
    http://msdn.microsoft.com/en-us/library/ms775147(VS.85).aspx#Known_MimeTypes

    For unknown mime types, I think you need to use "application/octet-stream"




    --
    Bwig Zomberi
    Bwig Zomberi, May 18, 2010
    #18
  19. Dean g

    Dan Guest

    "Bwig Zomberi" <> wrote in message
    news:hst5av$9sq$...
    > Dean g wrote:
    >> Hey guys,
    >> I have a new problem hopefully you can help with. Do you know
    >> how to detect the mime type of the file on the server? some of
    >> my pdf files aren't getting recognized as pdf's and filling
    >> the page with garbage.
    >>
    >> i Think i need to determine the appropriate MIME type from
    >> binary data, but don't really have a clue where to start.

    >
    >
    > Check the extension of the file. If it is "PDF" or "pdf", then set the
    > mime type to "application/pdf".
    >
    > Response.ContentType = "application/pdf"
    >
    > A list of popular mime types:
    > http://msdn.microsoft.com/en-us/library/ms775147(VS.85).aspx#Known_MimeTypes
    >
    > For unknown mime types, I think you need to use "application/octet-stream"



    This is probably the best solution. IE7 and higher do have "MIME sniffing"
    too which will attempt to determine the real MIME type from the file header,
    but this seems to fail from time to time.

    --
    Dan
    Dan, May 18, 2010
    #19
  20. Dean g

    Dean g Guest

    I already check the ext bwig, the problem is they are not necessarily
    genuine pdf's. I've been searching for mime
    sniffing code like u suggested Dan, but so far can only find
    resources for .net



    *** Sent via Developersdex http://www.developersdex.com ***
    Dean g, May 18, 2010
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Matt G
    Replies:
    1
    Views:
    1,148
    Deepak Kumar Vasudevan
    Aug 22, 2003
  2. Johan Pingree

    Securing XML documents on a ASP.net site....

    Johan Pingree, Apr 26, 2004, in forum: ASP .Net
    Replies:
    9
    Views:
    397
    =?Utf-8?B?QW5kcmV3IENvcmxleSwgTUNTRCwgTUNEQkE=?=
    Apr 26, 2004
  3. bradley
    Replies:
    1
    Views:
    959
    Peter Rilling
    Jun 8, 2005
  4. Manish Jain

    Virus Scan for uploaded documents?

    Manish Jain, Feb 14, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    135
    Geir Aamodt
    Feb 23, 2005
  5. vinod

    Securing word documents

    vinod, Jul 18, 2005, in forum: ASP General
    Replies:
    3
    Views:
    162
    Jeff Cochran
    Jul 21, 2005
Loading...

Share This Page