Secure Folders

[Armando]

Hi,

Here's my scenario: I have a website which is designed to only allow
authenticated users to browse. The authentication is done through a simple
asp script to check a database for a valid username and password. If it's
good it sets a session variable to allow the user to browse. In this website
there is a subfolder containing files which I do not want to be publicly
accessible by using direct URL entry (ie;
http://www.mydomain.com/mywebsite/myprivatefiles/myfile.doc). To do this I
was considering 2 methods: 1) Set NTFS permissions to only allow
authenticated users to see them and 2) using the filesystemobject to
retrieve the files from a non-web accessible directory elsewhere on the
server.

The problems I'm having with the first option is that because my webpage
authenticates to a database (not SQL) and sets a session variable,
technically the authenticated user is still a 'Web Anonymous User' according
to Windows.

With the second method, I am having trouble figuring out how to display an
image file (ie; .jpg) on the webpage from an <img src> tag using the
filesystemobject method of retrieving the file (physical path to the file).

So I'm hoping someone can answer these questions: a) Is there a way using
asp that I can specify a valid NT username so that the user authenticates
properly and has access to the files, or, b) does anyone know how to use the
filesystemobject to retrieve an image file and display it on the page?

Just to let you know, one thing I tried was using virtual paths to access
the folder 1 level up on the physical directory structure but because I have
disabled parent paths (due to security concerns), this is not possible.
Thanks to anyone who can help!

Armando

 

[Rob Meade]

...

In this website there is a subfolder containing files which I do not want to be publicly
accessible by using direct URL entry (ie;
http://www.mydomain.com/mywebsite/myprivatefiles/myfile.doc).

If I have understood your question correctly you want to prevent a
non-authenticated user from seeing specific webpages and their content.

Sounds like you have the first part of this in place - your login screen,
and you're setting a session variable - great - erm - are you then not
checking this on each page you want secured?

From what you have now I would have thought it would have been easiest to
create a simple 'session-check' function.

If the user is authenticated - ie, a session variable exists - marvellous -
do nothing - the page appears..

If the user is not authenticated - ie a session variable does not exist -
redirect them back to the login page - display an error telling them they
have no access to this.

This gets around the 'pages' issue...

With regards to preventing them accessing an image directly - slightly
different, cant really think of a case of hand where *I* would ever want
this, but assuming you have a user that is at once point allowed to visit,
for some reason decides to take the URL of an image in the secure area, and
then after having their access revoked can then simply paste that into a
browser and see the image - thats where you'd need to consider the NTFS
permissions as far as I see it...

Hope this is of help

Regards

Rob

 

[Rob Meade]

????????????? [snip]

Might I suggest...

http://www.dabs.com/uk/channels/har...ystickswheelsandtablets/products.htm?catid=85

 

[Armando]

Hi Rob,

Actually yes each page on my site has a SSI on each asp page setup to check
for a valid session variable and if it is zero-length or null it redirects
them to the login page. Simple enough to setup, all of 5 minutes of work.

As for *why* I want to deny access to images, the images are of my family -
most specifically, my 2 month old baby daughter. I (and more importantly -
my wife) don't just want *anyone* being able to access them. They are on the
web for friends and family only who are each using an assigned username and
password, however using direct URL entry in a browser, the actual pictures
and videos themselves are still accessible. I know they are still somewhat
safe because of the fact that no one really knows my directory structure but
it's still the fact that they are open to just anyone which I would like to
prevent completely if at all possible.

My website is also designed to database track (date, time, IP, username)
every single viewing/download of ANY of the image/video files, but only
through the webpage itself, otherwise I'd have to look in the IIS logs. I
will keep searching for an answer, but thanks for your help nonetheless!

Armando

 

[roger]

With the second method, I am having trouble figuring out how to display an
image file (ie; .jpg) on the webpage from an <img src> tag using the
filesystemobject method of retrieving the file (physical path to the

file).

Does this work -

<img src="showpic.asp?pic=somepic.jpg">

where showpic.asp is ---

<%
dim o
dim t
dim f

if session("okuser") = "whatever" then
f = "somepath/" & Request.QueryString("pic")
Response.Buffer = true
set o = server.CreateObject("ADODB.Stream")
o.Type = 1
pen
o.LoadFromFile(server.mappath(f))
Response.Clear
Response.ContentType="image/jpeg"
Response.AddHeader "Content-Disposition", "inline"
t = o.Read()
Response.BinaryWrite t
o.Close
set o = nothing
set t = nothing
Response.End
end if
%>

 

[Roland Hall]

in message : Actually yes each page on my site has a SSI on each asp page setup to
check
: for a valid session variable and if it is zero-length or null it redirects
: them to the login page. Simple enough to setup, all of 5 minutes of work.
:
: As for *why* I want to deny access to images, the images are of my
family -
: most specifically, my 2 month old baby daughter. I (and more importantly -
: my wife) don't just want *anyone* being able to access them. They are on
the
: web for friends and family only who are each using an assigned username
and
: password, however using direct URL entry in a browser, the actual pictures
: and videos themselves are still accessible. I know they are still somewhat
: safe because of the fact that no one really knows my directory structure
but
: it's still the fact that they are open to just anyone which I would like
to
: prevent completely if at all possible.
:
: My website is also designed to database track (date, time, IP, username)
: every single viewing/download of ANY of the image/video files, but only
: through the webpage itself, otherwise I'd have to look in the IIS logs. I
: will keep searching for an answer, but thanks for your help nonetheless!
:
: Armando
:
:
:
: : > "Armando" wrote ...
: >
: > > In this website there is a subfolder containing files which I do not
: want
: > to be publicly
: > > accessible by using direct URL entry (ie;
: > > http://www.mydomain.com/mywebsite/myprivatefiles/myfile.doc).
: >
: > If I have understood your question correctly you want to prevent a
: > non-authenticated user from seeing specific webpages and their content.
: >
: > Sounds like you have the first part of this in place - your login
screen,
: > and you're setting a session variable - great - erm - are you then not
: > checking this on each page you want secured?
: >
: > From what you have now I would have thought it would have been easiest
to
: > create a simple 'session-check' function.
: >
: > If the user is authenticated - ie, a session variable exists -
: marvellous -
: > do nothing - the page appears..
: >
: > If the user is not authenticated - ie a session variable does not
exist -
: > redirect them back to the login page - display an error telling them
they
: > have no access to this.
: >
: > This gets around the 'pages' issue...
: >
: > With regards to preventing them accessing an image directly - slightly
: > different, cant really think of a case of hand where *I* would ever want
: > this, but assuming you have a user that is at once point allowed to
visit,
: > for some reason decides to take the URL of an image in the secure area,
: and
: > then after having their access revoked can then simply paste that into a
: > browser and see the image - thats where you'd need to consider the NTFS
: > permissions as far as I see it...

This image is not under my web root. It cannot be accessed directly nor is
it's name listed in the client source. It's loaded from a CSS file, which
calls another .asp page as an image, which loads the image using
ADODB.Stream but only if called from my site, otherwise it loads a default
image so you cannot call the ASP file referenced in the CSS file directly.
It also has a transparent gif layered on top of it and right-click is
disabled.

Would that work for you?

http://kiddanger.com/images/badtest.asp

This is the link to try to load it directly:

http://kiddanger.com/lab/badimages.asp

Once on this page you'll notice you cannot view the source because only an
image is rendered. If you go to the first link and then the second, then
click your back button, you'll get an interesting effect.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Armando]

Hi Roger,

Kind of works, but not 100% just yet. I couldn't put showpic.asp in the img
tag, but when i put your code directly into my asp page it worked and
brought up the picture ok. The only problem is that this page displays
information about the picture (using filesystemobject) such as filename,
file size, date created, etc. I did find out I needed to use adodb.stream
because fso doesn't support binary reads, but was having trouble getting it
to work until you posted this - thanks! The only problem with the below is
that even though it now displays the picture, it will not display anything
else on the page, not even the page background color or any text that is
supposed to be there. I'm not exactly sure why but am going to keep looking
into it to see if there's just something I'm missing or not. Thanks though,
this is great code!

FYI - I did find out a way to protect my pictures from anonymous web
viewing. All I needed to do was set the entire pictures folder and all the
sub folders/files attributes to 'hidden'. By default, IIS will not allow web
anonymous users to retrieve hidden files, but fso and adodb.stream, etc. can
still get to them as (obviously) they are accessing the folders at the
filesystem level and not through http. I'll let you know!

Armando

 

[roger]

Kind of works, but not 100% just yet. I couldn't put showpic.asp in the img
tag, but when i put your code directly into my asp page it worked and
brought up the picture ok.

Hello Armando,

I don't think you can mix binary data and plain text, so pasting
the code into an HTML page won't work. You will usually see
just the image.

Why couldn't you use an img tag?

Did your browser not like it?

 

[Armando]

Hi Roger,

Yes you're right.. I had checked into that too and found out that's why my
other stuff wasn't working. You can't mix binary data with ascii that is the
rest of the page. Hence I went back and retried using the showpic.asp method
and lo and behold all worked fine. I think I know what I did wrong, and that
was a typo in my img tag. Now all is well and my images are safe. Again,
thanksfor your help.

And Roland, thanks for the tip from your post as well, I am looking into
using that too!

Cheers.

Armando