Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.
I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like
logs/log-xxxx.html
where xxxx is a user-id. (Each file logically belongs to a different
user).
I am developing a web site in asp.net which allows each user to see
his own log.
The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g. http://localhost/WebSite/Docs/log-1234.html
Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.
What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?
Thanks a lot for any help,
Maurizio 9 1124
"seguso" <ma************ **@gmail.comwro te in message
news:11******** *************@k 79g2000hse.goog legroups.com...
What is a general approach to solve this problem?
Use a database...
-- http://www.markrae.net
you have to compare user id to value in logfile address - no match, no access.
"seguso" <ma************ **@gmail.comwro te in message news:11******** *************@k 79g2000hse.goog legroups.com...
Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.
I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like
logs/log-xxxx.html
where xxxx is a user-id. (Each file logically belongs to a different
user).
I am developing a web site in asp.net which allows each user to see
his own log.
The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g.
http://localhost/WebSite/Docs/log-1234.html
Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.
What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?
Thanks a lot for any help,
Maurizio
Never expose actual path to sensitive data.
Instead of <a href="logs/log-xxxx.html">, use
<a href="showlog.a spx?id=xxxx">
Make a simple asp.net page showlog.aspx that will deliver the log by the
user id. The user won't know anything about the actual file location.
--
Eliyahu Goldin,
Software Developer & Consultant
Microsoft MVP [ASP.NET] http://msmvps.com/blogs/egoldin http://usableasp.net
"seguso" <ma************ **@gmail.comwro te in message
news:11******** *************@k 79g2000hse.goog legroups.com...
Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.
I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like
logs/log-xxxx.html
where xxxx is a user-id. (Each file logically belongs to a different
user).
I am developing a web site in asp.net which allows each user to see
his own log.
The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g.
http://localhost/WebSite/Docs/log-1234.html
Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.
What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?
Thanks a lot for any help,
Maurizio
On 11 Giu, 16:11, "Jon Paal [MSMD]" <Jon[ nospam ]Paal @ everywhere
dot comwrote:
you have to compare user id to value in logfile address - no match, no access.
Thank you, but where should I do the comparison? When the user types
something in the browser's location bar, and presses ENTER, I don't
have a callback which can approve or discard the request...
Maurizio
Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.
I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like
logs/log-xxxx.html
where xxxx is a user-id. (Each file logically belongs to a different
user).
I am developing a web site in asp.net which allows each user to see
his own log.
The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g.
http://localhost/WebSite/Docs/log-1234.html
Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.
What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?
Thanks a lot for any help,
Maurizio
Do not store those html files in the website, but just next to it.
This means that you can't have a direct link to it.
Add a "ViewLog.as px" to your site, which
1) finds the id of the "current user",
2) builds the filename for his/her logfile,
3) uses Response.WriteF ile to send that logfile to the browser.
Hans Kesting
You could pass them through an intermediate page, do the check, then proceed.
see also suggestion by Eliyahu Goldin below.
"seguso" <ma************ **@gmail.comwro te in message news:11******** **************@ a26g2000pre.goo glegroups.com.. .
On 11 Giu, 16:11, "Jon Paal [MSMD]" <Jon[ nospam ]Paal @ everywhere
dot comwrote:
>you have to compare user id to value in logfile address - no match, no access.
Thank you, but where should I do the comparison? When the user types
something in the browser's location bar, and presses ENTER, I don't
have a callback which can approve or discard the request...
Maurizio
Thank you very much everybody. :)
Maurizio
map html files to asp.net in iis. then in your global.asa, in the
BeginRequest, do the user check. if fails, return a 401 response.
also you could encrypt the userid, so its hard to guess.
-- bruce (sqlwork.com)
seguso wrote:
Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.
I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like
logs/log-xxxx.html
where xxxx is a user-id. (Each file logically belongs to a different
user).
I am developing a web site in asp.net which allows each user to see
his own log.
The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g.
http://localhost/WebSite/Docs/log-1234.html
Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.
What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?
Thanks a lot for any help,
Maurizio
On 11 Giu, 17:42, bruce barker <nos...@nospam. comwrote:
map html files to asp.net in iis. then in your global.asa, in the
BeginRequest, do the user check. if fails, return a 401 response.
also you could encrypt the userid, so its hard to guess.
Thank you very much Bruce. That's exactly what I was looking for.
Maurizio This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Lorenzo Villari |
last post by:
I premise I don't know C++ well but... I wondered what is this data hiding
thing... I mean, if I can look at the header (and i need it beacuse of the
class), then what's hidden?
Can someone give me an example of something hidden from the user?
|
by: pillip |
last post by:
I am trying to use fopen and fget to input two files and then output them
into one file. Each input file has two columns and 20 rows, however since
the first column in each input file is same ( numbers 0...19), i want the
output file to have 3 columns and 20 rows. Right now i am using a one
dimensional array "array1" to input each file:, and the output file
has 2 columns and 42 rows.
#include <stdlib.h>
#include <stdio.h>
|
by: JezB |
last post by:
What's the generally accepted approach for using Styles and Stylesheets in a
web application based on .aspx files, Web Controls, User Controls, and
code-behind modules (c# in my case)? Most style and stylesheet guides on the
internet seem to be based on web sites (rather than applications) based on
relatively static textual information.
I have read that external stylesheet files are the way to go, but it seems
to me that these only lend...
|
by: Mudcat |
last post by:
Hi,
I am trying to build a tool that analyzes stock data. Therefore I am
going to download and store quite a vast amount of it. Just for a
general number - assuming there are about 7000 listed stocks on the two
major markets plus some extras, 255 tradying days a year for 20 years,
that is about 36 million entries.
Obviously a database is a logical choice for that. However I've never
used one, nor do I know what benefits I would get...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| |
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
| |
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |