Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

securing online data 1

Status
Not open for further replies.
testing12345

testing12345

MIS
Apr 19, 2005
13
US
I want to make a pdf file available to for people who have logged in to our website.

The problem I am having is if someone logs in, they can copy the url and still access the file even though they are not logged in. Is there an easy way to lock this down?

Thank you,

Ross
 
Sort by date Sort by votes
Also, I am using a foxpro database - if this makes a difference. I'm not sure of a way off hand to store a pdf file into a foxpro data base, and if it is possible i'm not sure it would even be an efficient method.

Thanks,

Ross
 
Upvote 0 Downvote
Even if you get this in place, what's going to stop them downloading it when they're logged in and then accessing it locally from then on or even distributing it?

Tony
[red]_________________________________________________________________[/red]
Webmaster -
 
Upvote 0 Downvote

The information in this file is just a company handbook. All employees have a copy sitting at there desk right now.

But with that said "ASP" is a new to me and I am exploring the capabilities right.

When I log into my checking account at Wells Fargo I can pull up images of recent checks I have written out. When looking at the URL it appears random or coded. If I copy that URL into a new browser it doesnt work without being logged in - and its different each time.

I am just wondering if asp can do that? Or how would you go about doing something like that as I thought that was pretty neat.

Thanks,

Ross

 
Upvote 0 Downvote
You can set a session variable when the user logs in.

The session variable is actually implemented by a cookie that expires as soon as the session is over... but you don't have to worry about the implmementation other than knowing that users must have cookies enabled to use it. In a corporate network all users probably have the same configuration so this will be an easy yes/no question.
 
Upvote 0 Downvote
So, when the user logs in, do something like this:
Session("UserName") = "whatever"


Then, on all the pages you seek to protect, add something like this:
Code: 
IF Len(Session("UserName") = 0 THEN
  'Not logged in, redirect to login page:
  Response.Redirect "login.asp"
  Response.End
END IF

You could put this code into a little INCLUDE file and just put the one line include directive on top of each protected page.

 
Upvote 0 Downvote
Then, if you really want to get fancy, you can add the URL of the protected page to its own Session variable.

You can check THAT session variable and use it to send the user BACK to the protected page once the login is validated.

So you'd have something like this in your INCLUDE file:
Code: 
IF Len(Session("UserName") = 0 THEN
  'Not logged in, set session variable for current page:
  Session("RequestedPage") = Request.ServerVariables("URL")

  'redirect to login page:
  Response.Redirect "login.asp"
  Response.End
END IF


And also in the page that verifies the login, you'd have somethng like this:
Code: 
  ... code to check login credentials goes here ....


  'Set session var for validated login:
  Session("UserName") = "whatever"


  'If user was sent to the login page by a protected page
  'Then return to that protected page:
  Dim strGoToURL
  strGoToURL = "default.asp"
  IF Len(Session("RequestedPage") > 0 THEN
    strGoToURL = Session("RequestedPage")
    Session("RequestedPage") = ""
  END IF
  Response.Redirect strGoToURL
 
Upvote 0 Downvote
You don't link directly to the PDF. You link to a page, maybe call it something like FetchPDF.asp and you specify the name of the pdf in the link.

Something like this:
<a href="FetchPDF.asp?file=MyDocument.pdf">My Document</a>


Then you add the protection code to FetchPDF.asp

The code inside the FetchPDF can either Redirect directly to the PDF or you could, if really paranoid, copy the PDF into the Response object. Choosing this second option would be more work but, if you did it that way, you would never need to reveal the actual URL of your pdf. The pdf files themselves could even be in a folder that is absolutely unreachable via a URL... not in a virtual directory or anything. It just depends on how much security you are willing to take the time to create.
 
Upvote 0 Downvote
Another way to do it is to make the link to the file an invalid link.

Suppose you have a folder on your site named /PDF where you currently have all of these files...

Suppose you make a new folder and named it something like /PDFSecure ....

Suppose you MOVE all of the files from /PDF to /PDFSecure...

... now all of your links are broken and they will give the user a 404 error!

... BUT ...

Now you make a new ASP script, lets call it 404.asp. You add the "protection code" from above. Then you go into the IIS Admin tool for your web app and set a custom 404 error on the /PDF directory... you tell IIS to use your 404.asp for all 404 errors in the /PDF directory.

Now you go back into your 404.asp and add code to look at the Request.ServerVariables to find the name of the pdf that was originally linked. You reach over into your /PDFSecure folder and grab the file and write the file to the Response object. If the file does not exist then you just put up your only little "Sorry, file not found" message.

Validated users will not see any difference over a link directly to the file. User that have not logged in will be sent back to the login page by the "protection" code, and users that request a non-existant file will get your custom 404 message.
 
Upvote 0 Downvote
Thanks so much for your help.
Just out of curiousity? @ wells fargo.com, I did notice .cgi in the link. Do you think this may be a simple .cgi script or is it some extremely complicated code written by programmers exclusively for their company, way over my head and not worth looking into?


Thanks,

Ross
 
Upvote 0 Downvote


I need a how to on getting the file into the object and them displaying it on the screen.

Thanks,

Ross
 
Upvote 0 Downvote
It is probably basically the same idea except that .cgi scripts were traditionally done in Perl.

There is more than one way to skin a cat, if you are more comfortable in CGI/Perl then by all means do it that way.
 
Upvote 0 Downvote
Does anyone know how to get the file into the object and them display it on the screen. Is this even possible? I will do some research.

Thanks,

Ross
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

penguinspeaks
  • Locked
  • Question
Parse a database field that is comma delimited and input the results into another table
Replies
0
Views
551
penguinspeaks
penguinspeaks
Swi
  • Locked
  • Question
Best/Quickest Grid to display data
Replies
1
Views
558
Swi
Swi
Swi
  • Locked
  • Question
JQUERY AJAX POST and how to receive data via Classic ASP
Replies
0
Views
852
Swi
Swi
leifoet
  • Locked
  • Question
How to check if a datatable is empty ?
Replies
0
Views
573
leifoet
leifoet
GriffMG
  • Locked
  • Question
Classic ASP - Comm object sometimes doesn't return data and I have to requery
Replies
1
Views
361
GriffMG
GriffMG

Part and Inventory Search

Sponsor

Back
Top