Securing uploaded documents

[Dean g]

Hi,
I need help stoping people from accessing documents on the
server unless they are logged in through the website. I don't
know how to do this without using a database or just manually
added passwords to folders.

I know its possible in .net, any help on how to do this in
classic asp would be greatly appreciated.

Regards,
Dean

 

[Bwig Zomberi]

Hi,
I need help stoping people from accessing documents on the
server unless they are logged in through the website. I don't
know how to do this without using a database or just manually
added passwords to folders.

I know its possible in .net, any help on how to do this in
classic asp would be greatly appreciated.

Regards,
Dean

After authenticating the user, read the file contents and then

1. Use Response.ContentType to set mime type.

2. Use Response.AddHeader to set file name
Response.AddHeader "content-disposition","attachment;
filename=fname.ext"

3. Use Response.BinaryWrite to send the file to the browser.

 

[Dean g]

Thanks for the help Bwig

 

[Dan]

Thanks for the help Bwig

Just a note though - if the file is large, you may have to send it out in
chunks instead of all in one go. If you Google for "ado stream binarywrite"
you'll find plenty of examples of how to do this in ASP.

 

[Dean g]

Thanks for the help guys, i have a new problem with this
though hopefully you can help with.

I can't get the documents to open in the browser, they
automatically save. Ideally i would like to open the files in
a popup window if thats possible.

my code looks like this, the inline just ins't doing anything.

Response.AddHeader "Content-Disposition","inline; filename="&
file

Regards,
Dean g

 

[Bwig Zomberi]

Thanks for the help guys, i have a new problem with this
though hopefully you can help with.

I can't get the documents to open in the browser, they
automatically save.

This depends on the browser setting. You may have prevented the show
dialog box setting and set it for automatic save. Try with another
browser or in another computer.

Ideally i would like to open the files in
a popup window if thats possible.

In the link that connects to this ASP, use target="_blank".

Omit the Response.AddHeader.

Depending on the mime type and related-settings, the browser may display
the contents in a new window. If browser is configured to load the
content outside the browser in the native application, it may do so.

my code looks like this, the inline just ins't doing anything.

Response.AddHeader "Content-Disposition","inline; filename="&
file

It provides a file name for the contents sent by the ASP page.
Otherwise, you have to enter a name or the browser will give a name.

 

[Dean g]

Thanks again Bwig, i hadn't set the content type properly.

Its working well now.

 

[Bwig Zomberi]

Just a note though - if the file is large, you may have to send it out
in chunks instead of all in one go. If you Google for "ado stream
binarywrite" you'll find plenty of examples of how to do this in ASP.

Dan, I wanted to implement something like this. However, for very large
file downloads and slow user connections, the script will have to be
running for a long time. IIS will kill any request after some time. Do
you or anyone else know how to avoid that?

 

[Dan]

Dan, I wanted to implement something like this. However, for very large
file downloads and slow user connections, the script will have to be
running for a long time. IIS will kill any request after some time. Do you
or anyone else know how to avoid that?

Look at documentation for the Server.ScriptTimeout property

 

[Bwig Zomberi]

Look at documentation for the Server.ScriptTimeout property

No, Dan. There is a limit for that too. Imagine a 700 MB ISO file and
the user is on dialup. It will take several hours. IIS will kill the
request.

 

[Dooza]

No, Dan. There is a limit for that too. Imagine a 700 MB ISO file and
the user is on dialup. It will take several hours. IIS will kill the
request.

Surely a protocol designed for larger files would be more appropriate?
Like FTP maybe?

Dooza

 

[Dan]

No, Dan. There is a limit for that too. Imagine a 700 MB ISO file and the
user is on dialup. It will take several hours. IIS will kill the request.

In that case, don't do it

As Dooza points out, FTP is more appropriate for something like this.

Any application you build will have limits - you just have to figure out
what is feasible and use alternate means for anything that falls outside of
the parameters you come up with.

 

[Bwig Zomberi]

Surely a protocol designed for larger files would be more appropriate?
Like FTP maybe?

FTP sends passwords unencrypted. SFTP is not available on all hosting
servers.

 

[Dan]

FTP sends passwords unencrypted. SFTP is not available on all hosting
servers.

Either use anonymous FTP (if the files were going on an web site without
authentication), or use a custom FTP system with a short term unique ID in
the filename request to authenticate against an existing request via the
authenticated web application. Or come up with some other custom
authentication scheme.

Hosting large files on a standard public hosting package is obviously not an
appropriate use of said hosting. In many cases it'll likely be a violation
of the hosting T&C anyway. If you have a VPS or dedicated server then you
have a lot more flexibility and should be able to set up SFTP, FTP+SSL, or
any of a number of options for hardening FTP (or any other
application/protocol designed for handling large files).

If you're going to pick holes in every suggestion provided we're going to be
here indefinitely

 

[Bwig Zomberi]

Either use anonymous FTP (if the files were going on an web site without
authentication), or use a custom FTP system with a short term unique ID
in the filename request to authenticate against an existing request via
the authenticated web application. Or come up with some other custom
authentication scheme.

Hosting large files on a standard public hosting package is obviously
not an appropriate use of said hosting. In many cases it'll likely be a
violation of the hosting T&C anyway. If you have a VPS or dedicated
server then you have a lot more flexibility and should be able to set up
SFTP, FTP+SSL, or any of a number of options for hardening FTP (or any
other application/protocol designed for handling large files).

If you're going to pick holes in every suggestion provided we're going
to be here indefinitely

I just needed a second opinion that I have done everything that can be
done with a script. I am not picking holes. I had already tried
everything you had suggested when I was faced with same problem as the
OP. I provided the solution to the OP based on that experience.

The files I handle are less than 70 MB and they are on a shared hosting
server. However, I did not go for the ASP download solution because of
slow downloaders. Currently, http folder passwords are used. This is
also unsatisfactory, credentials are sent as plain text.

 

[Dan]

I just needed a second opinion that I have done everything that can be
done with a script. I am not picking holes. I had already tried everything
you had suggested when I was faced with same problem as the OP. I provided
the solution to the OP based on that experience.

The files I handle are less than 70 MB and they are on a shared hosting
server. However, I did not go for the ASP download solution because of
slow downloaders. Currently, http folder passwords are used. This is also
unsatisfactory, credentials are sent as plain text.

For the latter issue, you will either need to look into SSL (which is often
difficult with shared hosting as it requires a dedicated IP address for the
site, or a SAN certificate covering all required virtual servers on a single
IP), or NTLM/Integrated Authentication (which IIRC doesn't work if there are
proxy servers involved between the browser and server).

 

[Dean g]

Hey guys,
I have a new problem hopefully you can help with. Do you know
how to detect the mime type of the file on the server? some of
my pdf files aren't getting recognized as pdf's and filling
the page with garbage.

i Think i need to determine the appropriate MIME type from
binary data, but don't really have a clue where to start.

 

[Bwig Zomberi]

Hey guys,
I have a new problem hopefully you can help with. Do you know
how to detect the mime type of the file on the server? some of
my pdf files aren't getting recognized as pdf's and filling
the page with garbage.

i Think i need to determine the appropriate MIME type from
binary data, but don't really have a clue where to start.

Check the extension of the file. If it is "PDF" or "pdf", then set the
mime type to "application/pdf".

Response.ContentType = "application/pdf"

A list of popular mime types:
http://msdn.microsoft.com/en-us/library/ms775147(VS.85).aspx#Known_MimeTypes

For unknown mime types, I think you need to use "application/octet-stream"

 

[Dan]

Check the extension of the file. If it is "PDF" or "pdf", then set the
mime type to "application/pdf".

Response.ContentType = "application/pdf"

A list of popular mime types:
http://msdn.microsoft.com/en-us/library/ms775147(VS.85).aspx#Known_MimeTypes

For unknown mime types, I think you need to use "application/octet-stream"

This is probably the best solution. IE7 and higher do have "MIME sniffing"
too which will attempt to determine the real MIME type from the file header,
but this seems to fail from time to time.

 

[Dean g]

I already check the ext bwig, the problem is they are not necessarily
genuine pdf's. I've been searching for mime
sniffing code like u suggested Dan, but so far can only find
resources for .net