Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.
I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like
logs/log-xxxx.html
where xxxx is a user-id. (Each file logically belongs to a different
user).
I am developing a web site in asp.net which allows each user to see
his own log.
The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g. http://localhost/WebSite/Docs/log-1234.html
Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.
What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?
Thanks a lot for any help,
Maurizio 9  1118 
"seguso" <ma**************@gmail.comwrote in message
news:11*********************@k79g2000hse.googlegro ups.com...
What is a general approach to solve this problem?
Use a database...
-- http://www.markrae.net
you have to compare user id to value in logfile address - no match, no access.
"seguso" <ma**************@gmail.comwrote in message news:11*********************@k79g2000hse.googlegro ups.com...
Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.
I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like
logs/log-xxxx.html
where xxxx is a user-id. (Each file logically belongs to a different
user).
I am developing a web site in asp.net which allows each user to see
his own log.
The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g.
http://localhost/WebSite/Docs/log-1234.html
Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.
What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?
Thanks a lot for any help,
Maurizio
Never expose actual path to sensitive data.
Instead of <a href="logs/log-xxxx.html">, use
<a href="showlog.aspx?id=xxxx">
Make a simple asp.net page showlog.aspx that will deliver the log by the
user id. The user won't know anything about the actual file location.
--
Eliyahu Goldin,
Software Developer & Consultant
Microsoft MVP [ASP.NET] http://msmvps.com/blogs/egoldin http://usableasp.net
"seguso" <ma**************@gmail.comwrote in message
news:11*********************@k79g2000hse.googlegro ups.com...
Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.
I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like
logs/log-xxxx.html
where xxxx is a user-id. (Each file logically belongs to a different
user).
I am developing a web site in asp.net which allows each user to see
his own log.
The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g.
http://localhost/WebSite/Docs/log-1234.html
Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.
What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?
Thanks a lot for any help,
Maurizio
On 11 Giu, 16:11, "Jon Paal [MSMD]" <Jon[ nospam ]Paal @ everywhere
dot comwrote:
you have to compare user id to value in logfile address - no match, no access.
Thank you, but where should I do the comparison? When the user types
something in the browser's location bar, and presses ENTER, I don't
have a callback which can approve or discard the request...
Maurizio
Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.
I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like
logs/log-xxxx.html
where xxxx is a user-id. (Each file logically belongs to a different
user).
I am developing a web site in asp.net which allows each user to see
his own log.
The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g.
http://localhost/WebSite/Docs/log-1234.html
Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.
What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?
Thanks a lot for any help,
Maurizio
Do not store those html files in the website, but just next to it.
This means that you can't have a direct link to it.
Add a "ViewLog.aspx" to your site, which
1) finds the id of the "current user",
2) builds the filename for his/her logfile,
3) uses Response.WriteFile to send that logfile to the browser.
Hans Kesting
You could pass them through an intermediate page, do the check, then proceed.
see also suggestion by Eliyahu Goldin below.
"seguso" <ma**************@gmail.comwrote in message news:11**********************@a26g2000pre.googlegr oups.com...
On 11 Giu, 16:11, "Jon Paal [MSMD]" <Jon[ nospam ]Paal @ everywhere
dot comwrote:
>you have to compare user id to value in logfile address - no match, no access.
Thank you, but where should I do the comparison? When the user types
something in the browser's location bar, and presses ENTER, I don't
have a callback which can approve or discard the request...
Maurizio
Thank you very much everybody. :)
Maurizio
map html files to asp.net in iis. then in your global.asa, in the
BeginRequest, do the user check. if fails, return a 401 response.
also you could encrypt the userid, so its hard to guess.
-- bruce (sqlwork.com)
seguso wrote:
Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.
I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like
logs/log-xxxx.html
where xxxx is a user-id. (Each file logically belongs to a different
user).
I am developing a web site in asp.net which allows each user to see
his own log.
The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g.
http://localhost/WebSite/Docs/log-1234.html
Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.
What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?
Thanks a lot for any help,
Maurizio
On 11 Giu, 17:42, bruce barker <nos...@nospam.comwrote:
map html files to asp.net in iis. then in your global.asa, in the
BeginRequest, do the user check. if fails, return a 401 response.
also you could encrypt the userid, so its hard to guess.
Thank you very much Bruce. That's exactly what I was looking for.
Maurizio This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Lorenzo Villari |
last post by:
I premise I don't know C++ well but... I wondered what is this data hiding
thing... I mean, if I can look at the header (and i need it beacuse of the
class), then what's hidden?
Can someone give...
|
by: pillip |
last post by:
I am trying to use fopen and fget to input two files and then output them
into one file. Each input file has two columns and 20 rows, however since
the first column in each input file is same (...
|
by: JezB |
last post by:
What's the generally accepted approach for using Styles and Stylesheets in a
web application based on .aspx files, Web Controls, User Controls, and
code-behind modules (c# in my case)? Most style...
|
by: Mudcat |
last post by:
Hi,
I am trying to build a tool that analyzes stock data. Therefore I am
going to download and store quite a vast amount of it. Just for a
general number - assuming there are about 7000 listed...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
| | |
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
| | |
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
| |
