Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP General (http://www.velocityreviews.com/forums/f65-asp-general.html)
-   -   Forcing login to a web site (http://www.velocityreviews.com/forums/t792785-forcing-login-to-a-web-site.html)

Mark 01-20-2004 07:29 AM

Forcing login to a web site
 
Hi - I have a document management system in ASP/VBScript, which copies
files to a http://www.[mysite]/files directory. While uploading files
to that directory, it also updates a database with full path
information, and user groups allowed to see the file.

To get access to the file list, a user needs to login - their login is
associated with a group list, which as above, permits them to see a file
list of files with the appropriate group membership.

As the links which is shown on the screen is a direct link to the
document, it would be relatively simple for anyone to see the link, and
access the document(s) without logging into the document management
systemeg: http://www[mysite]/files/contactlist.doc

Is there anyway of securing the absolute path of the document, or of the
files directory, to stop people simply browsing by entering the URL -
where if they tried they would be taken back to the login screen? Or is
the only alternative to store the files in a BLOB field in the database,
and secure them in that way?

Thanks for any tips,

Mark


a client has requested that I make a file management system more secure



*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Steven Burn 01-20-2004 07:42 AM

Re: Forcing login to a web site
 
Why not just password the file's folder in IIS?

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)


Mark <anonymous@devdex.com> wrote in message
news:ePEqicy3DHA.1264@TK2MSFTNGP11.phx.gbl...
> Hi - I have a document management system in ASP/VBScript, which copies
> files to a http://www.[mysite]/files directory. While uploading files
> to that directory, it also updates a database with full path
> information, and user groups allowed to see the file.
>
> To get access to the file list, a user needs to login - their login is
> associated with a group list, which as above, permits them to see a file
> list of files with the appropriate group membership.
>
> As the links which is shown on the screen is a direct link to the
> document, it would be relatively simple for anyone to see the link, and
> access the document(s) without logging into the document management
> systemeg: http://www[mysite]/files/contactlist.doc
>
> Is there anyway of securing the absolute path of the document, or of the
> files directory, to stop people simply browsing by entering the URL -
> where if they tried they would be taken back to the login screen? Or is
> the only alternative to store the files in a BLOB field in the database,
> and secure them in that way?
>
> Thanks for any tips,
>
> Mark
>
>
> a client has requested that I make a file management system more secure
>
>
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!




Mark 01-20-2004 08:19 AM

Re: Forcing login to a web site
 
Hi Steven - thanks for the reply - but how would I allow the app to
write and read from the directory if it was password protected? I have
allowed IUSR access to upload the files to the directory - if I password
protect it, how do I still do this, and also retrieve the file for the
user to see? Thanks again,



*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Steven Burn 01-20-2004 08:28 AM

Re: Forcing login to a web site
 
You could always pass the username/password in your string to the file?

Alternatively, stick the file's in a folder thats outside of the root, that
way they can't directly access them

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)


Mark <anonymous@devdex.com> wrote in message
news:uWNAl4y3DHA.1760@TK2MSFTNGP10.phx.gbl...
> Hi Steven - thanks for the reply - but how would I allow the app to
> write and read from the directory if it was password protected? I have
> allowed IUSR access to upload the files to the directory - if I password
> protect it, how do I still do this, and also retrieve the file for the
> user to see? Thanks again,
>
>
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!




Mark 01-20-2004 01:19 PM

Re: Forcing login to a web site
 
Sorry - I'm not getting this.

If I do not allow anonymous access, and the site is on an internet,
where it is not possible to setup windows authentication, then how do I
capture the fact that a user has logged in (using a database lookup -
setting a session variable to say they are allowed access) when the
system redirects them to the http://www.mysite/files/myfile.txt dir/file
- if anonymous access is not allowed on this directory, they will be
prompted for a user name, password and domain.

Can I capture the event at this point, to say 'this person has already
logged in, and has a session variable set - so do not show the
username/password/domain box - let them view the file'?

Thanks again for the help,



*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Steven Burn 01-20-2004 02:20 PM

Re: Forcing login to a web site
 
I know the following is a bit long, and probably not the best way to do
things (probably even a little confusing) but, it should give you a basic
idea.

'Set a session variable when they log in, such as;

If Session("Logged") = True Then
'grant them access
Else
'kick them to google or something
End If

'Then to access the actual file........ first check to make sure they
are logged in.

If AreTheyLoggedIn = True Then
Dim strPath
'URL is the server path to the file (see below)
strPath = StripAbsPath(URL) & "\myfile.txt"
Response.Redirect strPath
Else
Response.Redirect "not-logged_in.asp"
End If

'Here, we set strPath as the main path, then use request.servervariables
to get the server name, and finally,
' I've written a custom function to convert an absolute path (server
path) to a URL which you can use.
'
' fl.path is the file path (gotten via FSO), Replace has been used
aswell, to convert \ (server) to / (URL)

strPath = "http://" & request.servervariables("SERVER_NAME") &
replace(StripABSPath(fl.Path), "\", "/")

' Note: StripABSPath will ONLY accept an absolute path, it will not
accept a URL. (atleast, not if you want
' strPath to work anyway).

Function StripABSPath(name)
Dim path
path = Split(name, "private") 'Just above the root or "main"
folder
StripABSPath = path(UBound(path))
End Function

'Just double checks to make sure they're logged in
Public Function AreTheyLoggedIn()
If Session("Logged") = True Then
AreTheyLoggedIn = True
Else
AreTheyLoggedIn = False
End If
End Function

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)


Mark <anonymous@devdex.com> wrote in message
news:u0rZKg13DHA.3196@TK2MSFTNGP11.phx.gbl...
> Sorry - I'm not getting this.
>
> If I do not allow anonymous access, and the site is on an internet,
> where it is not possible to setup windows authentication, then how do I
> capture the fact that a user has logged in (using a database lookup -
> setting a session variable to say they are allowed access) when the
> system redirects them to the http://www.mysite/files/myfile.txt dir/file
> - if anonymous access is not allowed on this directory, they will be
> prompted for a user name, password and domain.
>
> Can I capture the event at this point, to say 'this person has already
> logged in, and has a session variable set - so do not show the
> username/password/domain box - let them view the file'?
>
> Thanks again for the help,
>
>
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!




Mark 01-20-2004 04:39 PM

Re: Forcing login to a web site
 
Thanks Steven - that's got me going in the right direction,

Cheers, Mark



*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Steven Burn 01-20-2004 07:10 PM

Re: Forcing login to a web site
 
No problem ;o)

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)


Mark <anonymous@devdex.com> wrote in message
news:ehmt6P33DHA.3436@tk2msftngp13.phx.gbl...
> Thanks Steven - that's got me going in the right direction,
>
> Cheers, Mark
>
>
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!





All times are GMT. The time now is 10:23 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.