By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
425,763 Members | 1,641 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 425,763 IT Pros & Developers. It's quick & easy.

protected download of files...

P: n/a
I am creating a series of downloadable articles, career
tools, spreadsheets, etc. However, some of the content is
for "registered" guest. The registrants are stored in a
database and logon.

I want to ensure that someone registered cannot simply
pass someone the path to the files for download. However,
I am not creating an actual system user name for the
folders where the various documents exist.

I don't want someone to logon, retrieve the path to a
file, and be able to send that path or return to that path
without having to logon.

How do I accomplish this?

Consider the following:
serverroot/registeredcontentfolders would be protected by
a single logon name - not accessible via anonymous
access. User's logon to site and I auth them with their
user name but on the server side, auth with the single
account I am establishing for access to the protected
folders.

Any insight would be appreciated.

Thanks,
Matt
Jul 19 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
On Fri, 12 Sep 2003 09:11:54 -0700, "Matthew Moran" <mm****@cbtoolkit.com> wrote:
I am creating a series of downloadable articles, career
tools, spreadsheets, etc. However, some of the content is
for "registered" guest. The registrants are stored in a
database and logon.

I want to ensure that someone registered cannot simply
pass someone the path to the files for download. However,
I am not creating an actual system user name for the
folders where the various documents exist.

I don't want someone to logon, retrieve the path to a
file, and be able to send that path or return to that path
without having to logon.

How do I accomplish this?

Consider the following:
serverroot/registeredcontentfolders would be protected by
a single logon name - not accessible via anonymous
access. User's logon to site and I auth them with their
user name but on the server side, auth with the single
account I am establishing for access to the protected
folders.

Any insight would be appreciated.

Thanks,
Matt


Place the 'restricted' downloads on a page that has the following code ( or some equivalent to it ) immediately after
the BODY tag:

<SCRIPT Language="JavaScript">
if (document.referrer != "http://YourLogin_passwordform_page.asp") {
location.href="http://Someplace_else.asp"
}

</SCRIPT>
hth,

Jul 19 '05 #2

P: n/a
I have done this for several sites I have developed.

What I have done is create a "download.asp" script which checks for the
appropriate permissions, then uses FileSystemObject to read the file from
disk Response.ContentType, Response.AddHeader, and Response.BinaryWrite to
send the file to the browser.

This script is moste effective when the folder which stores the downloadable
files is outside the web structure, so there is no way that someone can get
to the files other than through download.asp. (For example, on the site I
was working on today, the client has the root folder for the domain at
d:\iisdata\www.myserver.com\html, and all of the downloadable files are in
d:\iisdata\www.myserver.com\downloads --since downloads is outside the web
root, there's no way to get to it from a browser.)

I have found added benefits by storing full names and paths to files in a
database, and only use a short ID to retrieve the file in my script. For
example, on the first site I developed using this method, I might have had a
link like
http://www.myserver.com/download.asp...s/glossary.doc.
As I kept reusing the same code, I figured out that it was even more
efficient to have a link like
http://www.myserver.com/download.asp?FileID=107 --not only does this mask
the full file name from the user, but it lets me easily flag files as
"members only" or "general public" by adding a field in the database, and it
eliminates problems I was having where people would try to publish documents
with names like "Member Dues & Fees.xls" (includes spaces and an &, which
were sometimes problematic for query strings!)

Hope that helps you get started,
Boris

"Matthew Moran" <mm****@cbtoolkit.com> wrote in message
news:27****************************@phx.gbl...
I am creating a series of downloadable articles, career
tools, spreadsheets, etc. However, some of the content is
for "registered" guest. The registrants are stored in a
database and logon.

I want to ensure that someone registered cannot simply
pass someone the path to the files for download. However,
I am not creating an actual system user name for the
folders where the various documents exist.

I don't want someone to logon, retrieve the path to a
file, and be able to send that path or return to that path
without having to logon.

How do I accomplish this?

Consider the following:
serverroot/registeredcontentfolders would be protected by
a single logon name - not accessible via anonymous
access. User's logon to site and I auth them with their
user name but on the server side, auth with the single
account I am establishing for access to the protected
folders.

Any insight would be appreciated.

Thanks,
Matt

Jul 19 '05 #3

P: n/a
"Matthew Moran" <mm****@cbtoolkit.com> wrote in message news:<27****************************@phx.gbl>...
I am creating a series of downloadable articles, career
tools, spreadsheets, etc. However, some of the content is
for "registered" guest. The registrants are stored in a
database and logon.

I want to ensure that someone registered cannot simply
pass someone the path to the files for download. However,
I am not creating an actual system user name for the
folders where the various documents exist.

I don't want someone to logon, retrieve the path to a
file, and be able to send that path or return to that path
without having to logon.


Matthew,

This is a common task, and you should be able to implement a solution
quickly. The best way to accomplish this is with an ASP download
script that uses software such as SoftArtisans FileUp
(http://fileup.softartisans.com). Using something such as FileUp to
handle the streaming of files is more reliable, more feature-rich, and
better performance-wise than just using the FileSystemObject (which
doesn't deal with binary files correctly) to stream your downloads.

-Chris
Jul 19 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.