Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > protected download of files...

Reply
Thread Tools

protected download of files...

 
 
Matthew Moran
Guest
Posts: n/a
 
      09-12-2003
I am creating a series of downloadable articles, career
tools, spreadsheets, etc. However, some of the content is
for "registered" guest. The registrants are stored in a
database and logon.

I want to ensure that someone registered cannot simply
pass someone the path to the files for download. However,
I am not creating an actual system user name for the
folders where the various documents exist.

I don't want someone to logon, retrieve the path to a
file, and be able to send that path or return to that path
without having to logon.

How do I accomplish this?

Consider the following:
serverroot/registeredcontentfolders would be protected by
a single logon name - not accessible via anonymous
access. User's logon to site and I auth them with their
user name but on the server side, auth with the single
account I am establishing for access to the protected
folders.

Any insight would be appreciated.

Thanks,
Matt
 
Reply With Quote
 
 
 
 
Turkbear
Guest
Posts: n/a
 
      09-12-2003
On Fri, 12 Sep 2003 09:11:54 -0700, "Matthew Moran" <(E-Mail Removed)> wrote:

>I am creating a series of downloadable articles, career
>tools, spreadsheets, etc. However, some of the content is
>for "registered" guest. The registrants are stored in a
>database and logon.
>
>I want to ensure that someone registered cannot simply
>pass someone the path to the files for download. However,
>I am not creating an actual system user name for the
>folders where the various documents exist.
>
>I don't want someone to logon, retrieve the path to a
>file, and be able to send that path or return to that path
>without having to logon.
>
>How do I accomplish this?
>
>Consider the following:
>serverroot/registeredcontentfolders would be protected by
>a single logon name - not accessible via anonymous
>access. User's logon to site and I auth them with their
>user name but on the server side, auth with the single
>account I am establishing for access to the protected
>folders.
>
>Any insight would be appreciated.
>
>Thanks,
>Matt


Place the 'restricted' downloads on a page that has the following code ( or some equivalent to it ) immediately after
the BODY tag:

<SCRIPT Language="JavaScript">
if (document.referrer != "http://YourLogin_passwordform_page.asp") {
location.href="http://Someplace_else.asp"
}

</SCRIPT>


hth,

 
Reply With Quote
 
 
 
 
Boris Nikolaevich
Guest
Posts: n/a
 
      09-13-2003
I have done this for several sites I have developed.

What I have done is create a "download.asp" script which checks for the
appropriate permissions, then uses FileSystemObject to read the file from
disk Response.ContentType, Response.AddHeader, and Response.BinaryWrite to
send the file to the browser.

This script is moste effective when the folder which stores the downloadable
files is outside the web structure, so there is no way that someone can get
to the files other than through download.asp. (For example, on the site I
was working on today, the client has the root folder for the domain at
d:\iisdata\www.myserver.com\html, and all of the downloadable files are in
d:\iisdata\www.myserver.com\downloads --since downloads is outside the web
root, there's no way to get to it from a browser.)

I have found added benefits by storing full names and paths to files in a
database, and only use a short ID to retrieve the file in my script. For
example, on the first site I developed using this method, I might have had a
link like
http://www.myserver.com/download.asp...s/glossary.doc.
As I kept reusing the same code, I figured out that it was even more
efficient to have a link like
http://www.myserver.com/download.asp?FileID=107 --not only does this mask
the full file name from the user, but it lets me easily flag files as
"members only" or "general public" by adding a field in the database, and it
eliminates problems I was having where people would try to publish documents
with names like "Member Dues & Fees.xls" (includes spaces and an &, which
were sometimes problematic for query strings!)

Hope that helps you get started,
Boris

"Matthew Moran" <(E-Mail Removed)> wrote in message
news:27d801c37948$9512a860$(E-Mail Removed)...
> I am creating a series of downloadable articles, career
> tools, spreadsheets, etc. However, some of the content is
> for "registered" guest. The registrants are stored in a
> database and logon.
>
> I want to ensure that someone registered cannot simply
> pass someone the path to the files for download. However,
> I am not creating an actual system user name for the
> folders where the various documents exist.
>
> I don't want someone to logon, retrieve the path to a
> file, and be able to send that path or return to that path
> without having to logon.
>
> How do I accomplish this?
>
> Consider the following:
> serverroot/registeredcontentfolders would be protected by
> a single logon name - not accessible via anonymous
> access. User's logon to site and I auth them with their
> user name but on the server side, auth with the single
> account I am establishing for access to the protected
> folders.
>
> Any insight would be appreciated.
>
> Thanks,
> Matt



 
Reply With Quote
 
Chris Baldwin
Guest
Posts: n/a
 
      09-13-2003
"Matthew Moran" <(E-Mail Removed)> wrote in message news:<27d801c37948$9512a860$(E-Mail Removed)>...
> I am creating a series of downloadable articles, career
> tools, spreadsheets, etc. However, some of the content is
> for "registered" guest. The registrants are stored in a
> database and logon.
>
> I want to ensure that someone registered cannot simply
> pass someone the path to the files for download. However,
> I am not creating an actual system user name for the
> folders where the various documents exist.
>
> I don't want someone to logon, retrieve the path to a
> file, and be able to send that path or return to that path
> without having to logon.


Matthew,

This is a common task, and you should be able to implement a solution
quickly. The best way to accomplish this is with an ASP download
script that uses software such as SoftArtisans FileUp
(http://fileup.softartisans.com). Using something such as FileUp to
handle the streaming of files is more reliable, more feature-rich, and
better performance-wise than just using the FileSystemObject (which
doesn't deal with binary files correctly) to stream your downloads.

-Chris
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
problem with code download file - two window file download Sam -- ASP .Net 2 03-17-2005 04:20 PM
Re: How can I display a download link in my (C#) ASP.NET web form to download a file stored in my sql db? Steve C. Orr [MVP, MCSD] ASP .Net 0 03-07-2005 07:14 PM
File upload/download from database. Download appends aspx page to end of file Ryan Taylor ASP .Net 2 11-10-2004 08:31 PM
Difference between "Protected WithEvents myClassName" And "Protected myClassName" ? Andreas Klemt ASP .Net 2 07-05-2003 12:51 AM



Advertisments