By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
428,683 Members | 1,597 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 428,683 IT Pros & Developers. It's quick & easy.

Need general approach for hiding files

P: n/a
Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.

I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like

logs/log-xxxx.html

where xxxx is a user-id. (Each file logically belongs to a different
user).

I am developing a web site in asp.net which allows each user to see
his own log.

The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g.

http://localhost/WebSite/Docs/log-1234.html

Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.

What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?

Thanks a lot for any help,

Maurizio

Jun 11 '07 #1
Share this Question
Share on Google+
9 Replies


P: n/a
"seguso" <ma**************@gmail.comwrote in message
news:11*********************@k79g2000hse.googlegro ups.com...
What is a general approach to solve this problem?
Use a database...
--
http://www.markrae.net

Jun 11 '07 #2

P: n/a
you have to compare user id to value in logfile address - no match, no access.
"seguso" <ma**************@gmail.comwrote in message news:11*********************@k79g2000hse.googlegro ups.com...
Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.

I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like

logs/log-xxxx.html

where xxxx is a user-id. (Each file logically belongs to a different
user).

I am developing a web site in asp.net which allows each user to see
his own log.

The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g.

http://localhost/WebSite/Docs/log-1234.html

Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.

What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?

Thanks a lot for any help,

Maurizio

Jun 11 '07 #3

P: n/a
Never expose actual path to sensitive data.

Instead of <a href="logs/log-xxxx.html">, use
<a href="showlog.aspx?id=xxxx">

Make a simple asp.net page showlog.aspx that will deliver the log by the
user id. The user won't know anything about the actual file location.

--
Eliyahu Goldin,
Software Developer & Consultant
Microsoft MVP [ASP.NET]
http://msmvps.com/blogs/egoldin
http://usableasp.net
"seguso" <ma**************@gmail.comwrote in message
news:11*********************@k79g2000hse.googlegro ups.com...
Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.

I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like

logs/log-xxxx.html

where xxxx is a user-id. (Each file logically belongs to a different
user).

I am developing a web site in asp.net which allows each user to see
his own log.

The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g.

http://localhost/WebSite/Docs/log-1234.html

Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.

What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?

Thanks a lot for any help,

Maurizio

Jun 11 '07 #4

P: n/a
On 11 Giu, 16:11, "Jon Paal [MSMD]" <Jon[ nospam ]Paal @ everywhere
dot comwrote:
you have to compare user id to value in logfile address - no match, no access.
Thank you, but where should I do the comparison? When the user types
something in the browser's location bar, and presses ENTER, I don't
have a callback which can approve or discard the request...

Maurizio

Jun 11 '07 #5

P: n/a
Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.

I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like

logs/log-xxxx.html

where xxxx is a user-id. (Each file logically belongs to a different
user).

I am developing a web site in asp.net which allows each user to see
his own log.

The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g.

http://localhost/WebSite/Docs/log-1234.html

Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.

What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?

Thanks a lot for any help,

Maurizio
Do not store those html files in the website, but just next to it.
This means that you can't have a direct link to it.
Add a "ViewLog.aspx" to your site, which
1) finds the id of the "current user",
2) builds the filename for his/her logfile,
3) uses Response.WriteFile to send that logfile to the browser.

Hans Kesting
Jun 11 '07 #6

P: n/a
You could pass them through an intermediate page, do the check, then proceed.

see also suggestion by Eliyahu Goldin below.
"seguso" <ma**************@gmail.comwrote in message news:11**********************@a26g2000pre.googlegr oups.com...
On 11 Giu, 16:11, "Jon Paal [MSMD]" <Jon[ nospam ]Paal @ everywhere
dot comwrote:
>you have to compare user id to value in logfile address - no match, no access.

Thank you, but where should I do the comparison? When the user types
something in the browser's location bar, and presses ENTER, I don't
have a callback which can approve or discard the request...

Maurizio

Jun 11 '07 #7

P: n/a

Thank you very much everybody. :)

Maurizio

Jun 11 '07 #8

P: n/a
map html files to asp.net in iis. then in your global.asa, in the
BeginRequest, do the user check. if fails, return a 401 response.

also you could encrypt the userid, so its hard to guess.
-- bruce (sqlwork.com)

seguso wrote:
Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.

I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like

logs/log-xxxx.html

where xxxx is a user-id. (Each file logically belongs to a different
user).

I am developing a web site in asp.net which allows each user to see
his own log.

The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g.

http://localhost/WebSite/Docs/log-1234.html

Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.

What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?

Thanks a lot for any help,

Maurizio
Jun 11 '07 #9

P: n/a
On 11 Giu, 17:42, bruce barker <nos...@nospam.comwrote:
map html files to asp.net in iis. then in your global.asa, in the
BeginRequest, do the user check. if fails, return a 401 response.

also you could encrypt the userid, so its hard to guess.

Thank you very much Bruce. That's exactly what I was looking for.

Maurizio

Jun 12 '07 #10

This discussion thread is closed

Replies have been disabled for this discussion.