473,388 Members | 1,256 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp / active server pages > questions > forcing login to a web site

Join Bytes to post your question to a community of 473,388 software developers and data experts.

Forcing login to a web site

Hi - I have a document management system in ASP/VBScript, which copies
files to a http://www.[mysite]/files directory. While uploading files
to that directory, it also updates a database with full path
information, and user groups allowed to see the file.

To get access to the file list, a user needs to login - their login is
associated with a group list, which as above, permits them to see a file
list of files with the appropriate group membership.

As the links which is shown on the screen is a direct link to the
document, it would be relatively simple for anyone to see the link, and
access the document(s) without logging into the document management
systemeg: http://www[mysite]/files/contactlist.doc

Is there anyway of securing the absolute path of the document, or of the
files directory, to stop people simply browsing by entering the URL -
where if they tried they would be taken back to the login screen? Or is
the only alternative to store the files in a BLOB field in the database,
and secure them in that way?

Thanks for any tips,

Mark
a client has requested that I make a file management system more secure

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Jul 19 '05 #1
7 1422
Why not just password the file's folder in IIS?

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)
Mark <an*******@devdex.com> wrote in message
news:eP**************@TK2MSFTNGP11.phx.gbl...
Hi - I have a document management system in ASP/VBScript, which copies
files to a http://www.[mysite]/files directory. While uploading files
to that directory, it also updates a database with full path
information, and user groups allowed to see the file.

To get access to the file list, a user needs to login - their login is
associated with a group list, which as above, permits them to see a file
list of files with the appropriate group membership.

As the links which is shown on the screen is a direct link to the
document, it would be relatively simple for anyone to see the link, and
access the document(s) without logging into the document management
systemeg: http://www[mysite]/files/contactlist.doc

Is there anyway of securing the absolute path of the document, or of the
files directory, to stop people simply browsing by entering the URL -
where if they tried they would be taken back to the login screen? Or is
the only alternative to store the files in a BLOB field in the database,
and secure them in that way?

Thanks for any tips,

Mark
a client has requested that I make a file management system more secure

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Jul 19 '05 #2
Hi Steven - thanks for the reply - but how would I allow the app to
write and read from the directory if it was password protected? I have
allowed IUSR access to upload the files to the directory - if I password
protect it, how do I still do this, and also retrieve the file for the
user to see? Thanks again,

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Jul 19 '05 #3
You could always pass the username/password in your string to the file?

Alternatively, stick the file's in a folder thats outside of the root, that
way they can't directly access them

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)
Mark <an*******@devdex.com> wrote in message
news:uW**************@TK2MSFTNGP10.phx.gbl...
Hi Steven - thanks for the reply - but how would I allow the app to
write and read from the directory if it was password protected? I have
allowed IUSR access to upload the files to the directory - if I password
protect it, how do I still do this, and also retrieve the file for the
user to see? Thanks again,

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Jul 19 '05 #4
Sorry - I'm not getting this.

If I do not allow anonymous access, and the site is on an internet,
where it is not possible to setup windows authentication, then how do I
capture the fact that a user has logged in (using a database lookup -
setting a session variable to say they are allowed access) when the
system redirects them to the http://www.mysite/files/myfile.txt dir/file
- if anonymous access is not allowed on this directory, they will be
prompted for a user name, password and domain.

Can I capture the event at this point, to say 'this person has already
logged in, and has a session variable set - so do not show the
username/password/domain box - let them view the file'?

Thanks again for the help,

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Jul 19 '05 #5
I know the following is a bit long, and probably not the best way to do
things (probably even a little confusing) but, it should give you a basic
idea.

'Set a session variable when they log in, such as;

If Session("Logged") = True Then
'grant them access
Else
'kick them to google or something
End If

'Then to access the actual file........ first check to make sure they
are logged in.

If AreTheyLoggedIn = True Then
Dim strPath
'URL is the server path to the file (see below)
strPath = StripAbsPath(URL) & "\myfile.txt"
Response.Redirect strPath
Else
Response.Redirect "not-logged_in.asp"
End If

'Here, we set strPath as the main path, then use request.servervariables
to get the server name, and finally,
' I've written a custom function to convert an absolute path (server
path) to a URL which you can use.
'
' fl.path is the file path (gotten via FSO), Replace has been used
aswell, to convert \ (server) to / (URL)

strPath = "http://" & request.servervariables("SERVER_NAME") &
replace(StripABSPath(fl.Path), "\", "/")

' Note: StripABSPath will ONLY accept an absolute path, it will not
accept a URL. (atleast, not if you want
' strPath to work anyway).

Function StripABSPath(name)
Dim path
path = Split(name, "private") 'Just above the root or "main"
folder
StripABSPath = path(UBound(path))
End Function

'Just double checks to make sure they're logged in
Public Function AreTheyLoggedIn()
If Session("Logged") = True Then
AreTheyLoggedIn = True
Else
AreTheyLoggedIn = False
End If
End Function

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)
Mark <an*******@devdex.com> wrote in message
news:u0**************@TK2MSFTNGP11.phx.gbl...
Sorry - I'm not getting this.

If I do not allow anonymous access, and the site is on an internet,
where it is not possible to setup windows authentication, then how do I
capture the fact that a user has logged in (using a database lookup -
setting a session variable to say they are allowed access) when the
system redirects them to the http://www.mysite/files/myfile.txt dir/file
- if anonymous access is not allowed on this directory, they will be
prompted for a user name, password and domain.

Can I capture the event at this point, to say 'this person has already
logged in, and has a session variable set - so do not show the
username/password/domain box - let them view the file'?

Thanks again for the help,

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Jul 19 '05 #6
Thanks Steven - that's got me going in the right direction,

Cheers, Mark

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Jul 19 '05 #7
No problem ;o)

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)
Mark <an*******@devdex.com> wrote in message
news:eh**************@tk2msftngp13.phx.gbl...
Thanks Steven - that's got me going in the right direction,

Cheers, Mark

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Jul 19 '05 #8
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
How to access currently logged in user from Active Directory. (Without custom login page)
by: anonymous | last post by:
Hi all, I've been searching the way to achieve the following task. But no luck so far. I have a web site(main site), which requires authentication. This authentication is set at Windows...
C# / C Sharp
2
Form Authentication with Remote Login.aspx
by: Beginner | last post by:
I know this is an old question, but searching all over the internet plus several MS security conferences, still haven't got a straight anwser. Basically, the login.aspx is on one dedicated server...
ASP.NET
7
How do I protect my login page from prying eyes (forms authentication)?
by: Alan Silver | last post by:
Hello, Sorry this is a bit wordy, but it's a pretty simple question... I have a web site, http://domain/ which is a public site, part of which (http://domain/a/) is protected by forms...
ASP.NET
1
security for row level but not based on Database user's login
by: Friends | last post by:
Hi I need to set security for row level but not based on Database user's login. It should be based on the user table login. For the particular user I need to allow only the particular records to...
Microsoft SQL Server
1
Forcing An Authorize in Forms Authentication
by: MattBell | last post by:
I'm trying to force a user to be authorized in forms authentication by extending the login control class and overriding the OnAuthorize function. I set my eventArgs.Authorized = true but I'm not...
ASP.NET
0
forcing post back to SSL from user control on master page
by: Fabuloussites | last post by:
Greetings All, here is my situation. i have a master page that has a login user control embedded on it. within the user control there is a multiview. in the default view, the...
ASP.NET
6
Help trying to login to myspace programatically in vb.net
by: AppleBag | last post by:
I'm having the worst time trying to login to myspace through code. Can someone tell me how to do this? Please try it yourself before replying, only because I have asked this a couple of times in...
.NET Framework
5
What is the best way to login my website from another website?
by: rockdale | last post by:
Hi, all: I have a website with its own login page. Now one of my clients want their employees log into my website from their website. They want to have their login page (look and feel are...
ASP.NET
2
database hangs in MyPHPAdmin/can't login to web site
by: JRough | last post by:
I cannot log into our web site. I have a test web site and a real site. On Friday I could log in and today Monday I cannot log in. I have 2 databases In PHPMyAdmin, the real database and and a...
PHP
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!