473,672 Members | 2,597 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Forcing login to a web site

Hi - I have a document management system in ASP/VBScript, which copies
files to a http://www.[mysite]/files directory. While uploading files
to that directory, it also updates a database with full path
information, and user groups allowed to see the file.

To get access to the file list, a user needs to login - their login is
associated with a group list, which as above, permits them to see a file
list of files with the appropriate group membership.

As the links which is shown on the screen is a direct link to the
document, it would be relatively simple for anyone to see the link, and
access the document(s) without logging into the document management
systemeg: http://www[mysite]/files/contactlist.doc

Is there anyway of securing the absolute path of the document, or of the
files directory, to stop people simply browsing by entering the URL -
where if they tried they would be taken back to the login screen? Or is
the only alternative to store the files in a BLOB field in the database,
and secure them in that way?

Thanks for any tips,

Mark
a client has requested that I make a file management system more secure

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Jul 19 '05 #1
7 1432
Why not just password the file's folder in IIS?

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)
Mark <an*******@devd ex.com> wrote in message
news:eP******** ******@TK2MSFTN GP11.phx.gbl...
Hi - I have a document management system in ASP/VBScript, which copies
files to a http://www.[mysite]/files directory. While uploading files
to that directory, it also updates a database with full path
information, and user groups allowed to see the file.

To get access to the file list, a user needs to login - their login is
associated with a group list, which as above, permits them to see a file
list of files with the appropriate group membership.

As the links which is shown on the screen is a direct link to the
document, it would be relatively simple for anyone to see the link, and
access the document(s) without logging into the document management
systemeg: http://www[mysite]/files/contactlist.doc

Is there anyway of securing the absolute path of the document, or of the
files directory, to stop people simply browsing by entering the URL -
where if they tried they would be taken back to the login screen? Or is
the only alternative to store the files in a BLOB field in the database,
and secure them in that way?

Thanks for any tips,

Mark
a client has requested that I make a file management system more secure

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Jul 19 '05 #2
Hi Steven - thanks for the reply - but how would I allow the app to
write and read from the directory if it was password protected? I have
allowed IUSR access to upload the files to the directory - if I password
protect it, how do I still do this, and also retrieve the file for the
user to see? Thanks again,

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Jul 19 '05 #3
You could always pass the username/password in your string to the file?

Alternatively, stick the file's in a folder thats outside of the root, that
way they can't directly access them

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)
Mark <an*******@devd ex.com> wrote in message
news:uW******** ******@TK2MSFTN GP10.phx.gbl...
Hi Steven - thanks for the reply - but how would I allow the app to
write and read from the directory if it was password protected? I have
allowed IUSR access to upload the files to the directory - if I password
protect it, how do I still do this, and also retrieve the file for the
user to see? Thanks again,

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Jul 19 '05 #4
Sorry - I'm not getting this.

If I do not allow anonymous access, and the site is on an internet,
where it is not possible to setup windows authentication, then how do I
capture the fact that a user has logged in (using a database lookup -
setting a session variable to say they are allowed access) when the
system redirects them to the http://www.mysite/files/myfile.txt dir/file
- if anonymous access is not allowed on this directory, they will be
prompted for a user name, password and domain.

Can I capture the event at this point, to say 'this person has already
logged in, and has a session variable set - so do not show the
username/password/domain box - let them view the file'?

Thanks again for the help,

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Jul 19 '05 #5
I know the following is a bit long, and probably not the best way to do
things (probably even a little confusing) but, it should give you a basic
idea.

'Set a session variable when they log in, such as;

If Session("Logged ") = True Then
'grant them access
Else
'kick them to google or something
End If

'Then to access the actual file........ first check to make sure they
are logged in.

If AreTheyLoggedIn = True Then
Dim strPath
'URL is the server path to the file (see below)
strPath = StripAbsPath(UR L) & "\myfile.tx t"
Response.Redire ct strPath
Else
Response.Redire ct "not-logged_in.asp"
End If

'Here, we set strPath as the main path, then use request.serverv ariables
to get the server name, and finally,
' I've written a custom function to convert an absolute path (server
path) to a URL which you can use.
'
' fl.path is the file path (gotten via FSO), Replace has been used
aswell, to convert \ (server) to / (URL)

strPath = "http://" & request.serverv ariables("SERVE R_NAME") &
replace(StripAB SPath(fl.Path), "\", "/")

' Note: StripABSPath will ONLY accept an absolute path, it will not
accept a URL. (atleast, not if you want
' strPath to work anyway).

Function StripABSPath(na me)
Dim path
path = Split(name, "private") 'Just above the root or "main"
folder
StripABSPath = path(UBound(pat h))
End Function

'Just double checks to make sure they're logged in
Public Function AreTheyLoggedIn ()
If Session("Logged ") = True Then
AreTheyLoggedIn = True
Else
AreTheyLoggedIn = False
End If
End Function

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)
Mark <an*******@devd ex.com> wrote in message
news:u0******** ******@TK2MSFTN GP11.phx.gbl...
Sorry - I'm not getting this.

If I do not allow anonymous access, and the site is on an internet,
where it is not possible to setup windows authentication, then how do I
capture the fact that a user has logged in (using a database lookup -
setting a session variable to say they are allowed access) when the
system redirects them to the http://www.mysite/files/myfile.txt dir/file
- if anonymous access is not allowed on this directory, they will be
prompted for a user name, password and domain.

Can I capture the event at this point, to say 'this person has already
logged in, and has a session variable set - so do not show the
username/password/domain box - let them view the file'?

Thanks again for the help,

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Jul 19 '05 #6
Thanks Steven - that's got me going in the right direction,

Cheers, Mark

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Jul 19 '05 #7
No problem ;o)

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)
Mark <an*******@devd ex.com> wrote in message
news:eh******** ******@tk2msftn gp13.phx.gbl...
Thanks Steven - that's got me going in the right direction,

Cheers, Mark

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Jul 19 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
1
7306
How to access currently logged in user from Active Directory. (Without custom login page)
by: anonymous | last post by:
Hi all, I've been searching the way to achieve the following task. But no luck so far. I have a web site(main site), which requires authentication. This authentication is set at Windows directory level, so user will see the pop up gray box in order to log in rather than custom web page. The username and password are stored at active directory level, thus this is the windows integrated security.
C# / C Sharp
2
2776
Form Authentication with Remote Login.aspx
by: Beginner | last post by:
I know this is an old question, but searching all over the internet plus several MS security conferences, still haven't got a straight anwser. Basically, the login.aspx is on one dedicated server in the domain using AD. ASP.NET applications run on other servers (not neccessary in domain) and trying to use authentication server. How could this be done? - Most response says you need to set MachineKey the same, but that alone doesn't...
ASP.NET
7
2446
How do I protect my login page from prying eyes (forms authentication)?
by: Alan Silver | last post by:
Hello, Sorry this is a bit wordy, but it's a pretty simple question... I have a web site, http://domain/ which is a public site, part of which (http://domain/a/) is protected by forms authentication. I would like to configure it so that anyone not logged in, trying to access the protected part will not be redirected to the login page, but
ASP.NET
1
2664
security for row level but not based on Database user's login
by: Friends | last post by:
Hi I need to set security for row level but not based on Database user's login. It should be based on the user table login. For the particular user I need to allow only the particular records to access insert, update delete and select. Let me explain clearly For example think we are using asp/asp.net website
Microsoft SQL Server
1
1583
Forcing An Authorize in Forms Authentication
by: MattBell | last post by:
I'm trying to force a user to be authorized in forms authentication by extending the login control class and overriding the OnAuthorize function. I set my eventArgs.Authorized = true but I'm not sure what to do with it at that point. I don't want the user to have to type anything into a login control, (they are passing a login token via a QueryStringParameter) if it's valid I need them to be logged in automatically. Has anyone ever...
ASP.NET
0
1367
forcing post back to SSL from user control on master page
by: Fabuloussites | last post by:
Greetings All, here is my situation. i have a master page that has a login user control embedded on it. within the user control there is a multiview. in the default view, the username/passwords fields are there. once the user is authenticated, the page posts back, and the multiview view changes to another view where a menu is displayed. under this set of circumstances, is it possible to use the postback url propety for the login...
ASP.NET
6
3349
Help trying to login to myspace programatically in vb.net
by: AppleBag | last post by:
I'm having the worst time trying to login to myspace through code. Can someone tell me how to do this? Please try it yourself before replying, only because I have asked this a couple of times in the past in other places, and while the help was much appreciated, it seemed everyone just wanted to 'theoretically' explain how to do it, but when I tried to do it myself, I couldn't login. I want to simply pass the email address and password to...
.NET Framework
5
2691
What is the best way to login my website from another website?
by: rockdale | last post by:
Hi, all: I have a website with its own login page. Now one of my clients want their employees log into my website from their website. They want to have their login page (look and feel are different and hosted on another web server) and then send the user id and pwd to my login page. What is the best to do this? Pass the user id and pwd on the url is not a solution since everybody will see the user's credential.
ASP.NET
2
2659
database hangs in MyPHPAdmin/can't login to web site
by: JRough | last post by:
I cannot log into our web site. I have a test web site and a real site. On Friday I could log in and today Monday I cannot log in. I have 2 databases In PHPMyAdmin, the real database and and a test database site which used to be mirrors. Someone else did upgrade work on the real site which I must troubleshoot because they are gone. Symptoms:I can select in myPHPadmin the test database but when I try to switch in PHPMyAdmin from the...
PHP
0
8486
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
8404
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
8931
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
8828
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
0
8680
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
5705
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
4227
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
4418
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
2819
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us