I have done this for several sites I have developed.
What I have done is create a "download.asp" script which checks for the
appropriate permissions, then uses FileSystemObject to read the file from
disk Response.ContentType, Response.AddHeader, and Response.BinaryWrite to
send the file to the browser.
This script is moste effective when the folder which stores the downloadable
files is outside the web structure, so there is no way that someone can get
to the files other than through download.asp. (For example, on the site I
was working on today, the client has the root folder for the domain at
d:\iisdata\
www.myserver.com\html, and all of the downloadable files are in
d:\iisdata\
www.myserver.com\downloads --since downloads is outside the web
root, there's no way to get to it from a browser.)
I have found added benefits by storing full names and paths to files in a
database, and only use a short ID to retrieve the file in my script. For
example, on the first site I developed using this method, I might have had a
link like
http://www.myserver.com/download.asp...s/glossary.doc.
As I kept reusing the same code, I figured out that it was even more
efficient to have a link like
http://www.myserver.com/download.asp?FileID=107 --not only does this mask
the full file name from the user, but it lets me easily flag files as
"members only" or "general public" by adding a field in the database, and it
eliminates problems I was having where people would try to publish documents
with names like "Member Dues & Fees.xls" (includes spaces and an &, which
were sometimes problematic for query strings!)
Hope that helps you get started,
Boris
"Matthew Moran" <mm****@cbtoolkit.com> wrote in message
news:27****************************@phx.gbl...
I am creating a series of downloadable articles, career
tools, spreadsheets, etc. However, some of the content is
for "registered" guest. The registrants are stored in a
database and logon.
I want to ensure that someone registered cannot simply
pass someone the path to the files for download. However,
I am not creating an actual system user name for the
folders where the various documents exist.
I don't want someone to logon, retrieve the path to a
file, and be able to send that path or return to that path
without having to logon.
How do I accomplish this?
Consider the following:
serverroot/registeredcontentfolders would be protected by
a single logon name - not accessible via anonymous
access. User's logon to site and I auth them with their
user name but on the server side, auth with the single
account I am establishing for access to the protected
folders.
Any insight would be appreciated.
Thanks,
Matt
