Restrict access to a PDF file. Site uses sessions for access control.

[DSect]

How can I restrict access to a files, such as a PDF file when I'm using session variables to restrict access to sections of my site.

I have a restricted access members section and there are some PDFs in it. If someone logs in and copies the URL to a PDF behind the member's login they can download the PDF without being logged in.

I was thinking maybe have a page redirect to it or other ways, but they'll still be able to see where the file is being downloaded from and simply navigate to it to dload it.

I'm not sure how to handle this.

The PDFs are publications, so I cannot generate them on the fly.

I was thinking of using IIS directory security, but my usernames and pwords are in an Acess 97 DB and I didn't know if I could integrate it w/ IIS 6's directory security.

How do you guys handle this situation?

Thanks!

 

[TJRTech]

Might I suggest placing your PDFs in an secure area that is not under your web root, then use streaming to stream the files to the user when selected.

You will need a special "catalog.asp" type ASP that lists the files accessible by the user, and that could use the FileSystemObject to get a list of the files in the logged in users directory. Then, the hrefs for the list of files would be to a redirector type asp (maybe called "getfile.asp" or somesuch) that takes in query string parameters for the file name. The "getfile.asp" page could check credentials from the session and if all is okay, stream the file to the user.

Now, there are several threads in this group on using FileSystemObject to list directory contents and using streaming to send files to the browser.

One such thread is:

thread333-824191

Good luck,
TR