Forcing login to a web site

[Mark]

Hi - I have a document management system in ASP/VBScript, which copies
files to a http://www.[mysite]/files directory. While uploading files
to that directory, it also updates a database with full path
information, and user groups allowed to see the file.

To get access to the file list, a user needs to login - their login is
associated with a group list, which as above, permits them to see a file
list of files with the appropriate group membership.

As the links which is shown on the screen is a direct link to the
document, it would be relatively simple for anyone to see the link, and
access the document(s) without logging into the document management
systemeg: http://www[mysite]/files/contactlist.doc

Is there anyway of securing the absolute path of the document, or of the
files directory, to stop people simply browsing by entering the URL -
where if they tried they would be taken back to the login screen? Or is
the only alternative to store the files in a BLOB field in the database,
and secure them in that way?

Thanks for any tips,

Mark


a client has requested that I make a file management system more secure

 

[Steven Burn]

Why not just password the file's folder in IIS?

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)

 

[Mark]

Hi Steven - thanks for the reply - but how would I allow the app to
write and read from the directory if it was password protected? I have
allowed IUSR access to upload the files to the directory - if I password
protect it, how do I still do this, and also retrieve the file for the
user to see? Thanks again,

 

[Steven Burn]

You could always pass the username/password in your string to the file?

Alternatively, stick the file's in a folder thats outside of the root, that
way they can't directly access them

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)

 

[Mark]

Sorry - I'm not getting this.

If I do not allow anonymous access, and the site is on an internet,
where it is not possible to setup windows authentication, then how do I
capture the fact that a user has logged in (using a database lookup -
setting a session variable to say they are allowed access) when the
system redirects them to the http://www.mysite/files/myfile.txt dir/file
- if anonymous access is not allowed on this directory, they will be
prompted for a user name, password and domain.

Can I capture the event at this point, to say 'this person has already
logged in, and has a session variable set - so do not show the
username/password/domain box - let them view the file'?

Thanks again for the help,

 

[Steven Burn]

I know the following is a bit long, and probably not the best way to do
things (probably even a little confusing) but, it should give you a basic
idea.

'Set a session variable when they log in, such as;

If Session("Logged") = True Then
'grant them access
Else
'kick them to google or something
End If

'Then to access the actual file........ first check to make sure they
are logged in.

If AreTheyLoggedIn = True Then
Dim strPath
'URL is the server path to the file (see below)
strPath = StripAbsPath(URL) & "\myfile.txt"
Response.Redirect strPath
Else
Response.Redirect "not-logged_in.asp"
End If

'Here, we set strPath as the main path, then use request.servervariables
to get the server name, and finally,
' I've written a custom function to convert an absolute path (server
path) to a URL which you can use.
'
' fl.path is the file path (gotten via FSO), Replace has been used
aswell, to convert \ (server) to / (URL)

strPath = "http://" & request.servervariables("SERVER_NAME") &
replace(StripABSPath(fl.Path), "\", "/")

' Note: StripABSPath will ONLY accept an absolute path, it will not
accept a URL. (atleast, not if you want
' strPath to work anyway).

Function StripABSPath(name)
Dim path
path = Split(name, "private") 'Just above the root or "main"
folder
StripABSPath = path(UBound(path))
End Function

'Just double checks to make sure they're logged in
Public Function AreTheyLoggedIn()
If Session("Logged") = True Then
AreTheyLoggedIn = True
Else
AreTheyLoggedIn = False
End If
End Function

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)

 

[Mark]

Thanks Steven - that's got me going in the right direction,

Cheers, Mark

 

[Steven Burn]

No problem ;o)

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)