Restrict access to downloadable files

[Dan Vendel *GOF*]

Mintyman wrote:

> Hi there,
>
> I have been looking around the web but can't find a definite answer to this
> one:
>
> I have a number of documents (.pdf's and .doc's) that I want only logged in
> users of a site to gain access to. The links to these files sits in a page
> that is only accessible to users logged in. However, like your problem, if
> someone knew the full URL (e.g. [url]http://www.mysite/members/docs/XXXX.pdf[/url])
> then it would let them gain access.
>
> How can I do this. I think I need to store the files outside the root
> directory of the site and use some sort of script but I don't have a clue
> how.
>
> I am using Win 2000, IIS 5.0 and ASP
>
> Thanks,
>
> Darren
>
>

Darren,

Check with your host first. They usually have some kind of script
preinstalled that'll restrict access and prevent download by using e.g.
..htaccess files. If that's the case, all you have to do is to select the
folder and actiavte the script.

Else, go to e.g. [url]www.hotscripts.com[/url] and look for something that'll fit
your needs. There are heaps of both commercial and free scripts there.



--
Dan Vendel - *GOF*
[url]http://www.vendel.info[/url]
Contact me directly by clicking here:
[url]http://contact.vendel.info[/url]
Formmail tutorial:
[url]http://www.vendel.info/tut/formmail.html[/url]
Nested table demonstration:
[url]http://www.vendel.info/tabletut/[/url]

[osgood]

Mintyman wrote:

> We host our own website so I don't really have an 'expert' to ask for
> help
> as such. I've started looking through the scripts on the site you gave me
> but haven't found anything yet. Fingers crossed though.
>
> Darren
>
> "Dan Vendel *GOF*" wrote in
> message news:bg2ppn$5vh$9@forums.macromedia.com...
>

> >Mintyman wrote:
> >
> >

> >>Hi there,
> >>
> >>I have been looking around the web but can't find a definite answer to

>
> this
>

> >>one:
> >>
> >>I have a number of documents (.pdf's and .doc's) that I want only logged

>
> in
>

> >>users of a site to gain access to. The links to these files sits in a

>
> page
>

> >>that is only accessible to users logged in. However, like your problem,

>
> if
>

> >>someone knew the full URL (e.g. [url]http://www.mysite/members/docs/XXXX.pdf[/url])
> >>then it would let them gain access.
> >>
> >>How can I do this. I think I need to store the files outside the root
> >>directory of the site and use some sort of script but I don't have a

>
> clue
>

> >>how.
> >>
> >>I am using Win 2000, IIS 5.0 and ASP
> >>
> >>Thanks,
> >>
> >>Darren
> >>
> >>

> >
> >
> >Darren,
> >
> >Check with your host first. They usually have some kind of script
> >preinstalled that'll restrict access and prevent download by using e.g.
> >.htaccess files. If that's the case, all you have to do is to select the
> >folder and actiavte the script.
> >
> >Else, go to e.g. [url]www.hotscripts.com[/url] and look for something that'll fit
> >your needs. There are heaps of both commercial and free scripts there.
> >
> >
> >
> >--
> >Dan Vendel - *GOF*
> >[url]http://www.vendel.info[/url]
> >Contact me directly by clicking here:
> >[url]http://contact.vendel.info[/url]
> >Formmail tutorial:
> >[url]http://www.vendel.info/tut/formmail.html[/url]
> >Nested table demonstration:
> >[url]http://www.vendel.info/tabletut/[/url]
> >

>
>
>

Look for 'password .htaccess tutorials' on google. I turned up the one
below.

[url]http://help.powweb.com/tutorials/htaccess/passprotect.php[/url]

Personally I gave up and acquired an isp who could provide an interface,
to protect folders, controlled via the web-browser

[Julian Roberts]

Try this

[url]http://www.4guysfromrolla.com/webtech/081199-1.shtml[/url]

--
Jules
-----
Charon Cart 3
[url]http://www.charon.co.uk/charoncart[/url]



Mintyman wrote:

> Hi there,
>
> I have been looking around the web but can't find a definite answer
> to this one:
>
> I have a number of documents (.pdf's and .doc's) that I want only
> logged in users of a site to gain access to. The links to these files
> sits in a page that is only accessible to users logged in. However,
> like your problem, if someone knew the full URL (e.g.
> [url]http://www.mysite/members/docs/XXXX.pdf[/url]) then it would let them gain
> access.
>
> How can I do this. I think I need to store the files outside the root
> directory of the site and use some sort of script but I don't have a
> clue how.
>
> I am using Win 2000, IIS 5.0 and ASP
>
> Thanks,
>
> Darren

[Joe {RoastHorse}]

htaccess doesn't work with iis.

joe



"Dan Vendel *GOF*" <see_my_signature_@_the_bottom_of_the_post.com> wrote in
message news:bg2ppn$5vh$9@forums.macromedia.com...

> Mintyman wrote:
>

> > Hi there,
> >
> > I have been looking around the web but can't find a definite answer to

this

> > one:
> >
> > I have a number of documents (.pdf's and .doc's) that I want only logged

in

> > users of a site to gain access to. The links to these files sits in a

page

> > that is only accessible to users logged in. However, like your problem,

if

> > someone knew the full URL (e.g. [url]http://www.mysite/members/docs/XXXX.pdf[/url])
> > then it would let them gain access.
> >
> > How can I do this. I think I need to store the files outside the root
> > directory of the site and use some sort of script but I don't have a

clue

> > how.
> >
> > I am using Win 2000, IIS 5.0 and ASP
> >
> > Thanks,
> >
> > Darren
> >
> >

>
>
> Darren,
>
> Check with your host first. They usually have some kind of script
> preinstalled that'll restrict access and prevent download by using e.g.
> .htaccess files. If that's the case, all you have to do is to select the
> folder and actiavte the script.
>
> Else, go to e.g. [url]www.hotscripts.com[/url] and look for something that'll fit
> your needs. There are heaps of both commercial and free scripts there.
>
>
>
> --
> Dan Vendel - *GOF*
> [url]http://www.vendel.info[/url]
> Contact me directly by clicking here:
> [url]http://contact.vendel.info[/url]
> Formmail tutorial:
> [url]http://www.vendel.info/tut/formmail.html[/url]
> Nested table demonstration:
> [url]http://www.vendel.info/tabletut/[/url]
>

[Joe {RoastHorse}]

if you don't have an expert to hand then you may have other security holes,
anyhow... your problem can be solved like this:

put your downloadable files in a directory outside the doc root.
to download a file link to download.asp and append the file name eg:

href="download.asp?filename=myfile.pdf"

i don't do asp so i can only give you general pseudocode directions here:

// download.asp:
filename = getargs(filename);
openfile(filename);
readfile(filename);
closefile(filename);
outputheader ("Content-Type: application/octet-stream");
outputheader ("Content-Disposition: attachment; filename=filename");
outputheader ("Content-Length: ".filesize(filename));
output filename;

it basically involves reading the file specified in the url, outputing
headers and outputing the file data.
the asp gurus here may be able to elaborate.

joe


"Mintyman" <mintyman@ntlworld.com> wrote in message
news:bg2rpd$su3$1@forums.macromedia.com...

> We host our own website so I don't really have an 'expert' to ask for

help

> as such. I've started looking through the scripts on the site you gave me
> but haven't found anything yet. Fingers crossed though.
>
> Darren
>
> "Dan Vendel *GOF*" <see_my_signature_@_the_bottom_of_the_post.com> wrote

in

> message news:bg2ppn$5vh$9@forums.macromedia.com...

> > Mintyman wrote:
> >

> > > Hi there,
> > >
> > > I have been looking around the web but can't find a definite answer to

> this

> > > one:
> > >
> > > I have a number of documents (.pdf's and .doc's) that I want only

logged

> in

> > > users of a site to gain access to. The links to these files sits in a

> page

> > > that is only accessible to users logged in. However, like your

problem,

> if

> > > someone knew the full URL (e.g.

[url]http://www.mysite/members/docs/XXXX.pdf[/url])

> > > then it would let them gain access.
> > >
> > > How can I do this. I think I need to store the files outside the root
> > > directory of the site and use some sort of script but I don't have a

> clue

> > > how.
> > >
> > > I am using Win 2000, IIS 5.0 and ASP
> > >
> > > Thanks,
> > >
> > > Darren
> > >
> > >

> >
> >
> > Darren,
> >
> > Check with your host first. They usually have some kind of script
> > preinstalled that'll restrict access and prevent download by using e.g.
> > .htaccess files. If that's the case, all you have to do is to select the
> > folder and actiavte the script.
> >
> > Else, go to e.g. [url]www.hotscripts.com[/url] and look for something that'll fit
> > your needs. There are heaps of both commercial and free scripts there.
> >
> >
> >
> > --
> > Dan Vendel - *GOF*
> > [url]http://www.vendel.info[/url]
> > Contact me directly by clicking here:
> > [url]http://contact.vendel.info[/url]
> > Formmail tutorial:
> > [url]http://www.vendel.info/tut/formmail.html[/url]
> > Nested table demonstration:
> > [url]http://www.vendel.info/tabletut/[/url]
> >

>
>

[Joe {RoastHorse}]

sorry... should add that only logged in users should be able to access
download.asp - otherwise you're back where you started.

joe



"Joe {RoastHorse}" <joe@roast-horse.com> wrote in message
news:bg2vtu$6se$1@forums.macromedia.com...

> if you don't have an expert to hand then you may have other security

holes,

> anyhow... your problem can be solved like this:
>
> put your downloadable files in a directory outside the doc root.
> to download a file link to download.asp and append the file name eg:
>
> href="download.asp?filename=myfile.pdf"
>
> i don't do asp so i can only give you general pseudocode directions here:
>
> // download.asp:
> filename = getargs(filename);
> openfile(filename);
> readfile(filename);
> closefile(filename);
> outputheader ("Content-Type: application/octet-stream");
> outputheader ("Content-Disposition: attachment; filename=filename");
> outputheader ("Content-Length: ".filesize(filename));
> output filename;
>
> it basically involves reading the file specified in the url, outputing
> headers and outputing the file data.
> the asp gurus here may be able to elaborate.
>
> joe
>
>
> "Mintyman" <mintyman@ntlworld.com> wrote in message
> news:bg2rpd$su3$1@forums.macromedia.com...

> > We host our own website so I don't really have an 'expert' to ask for

> help

> > as such. I've started looking through the scripts on the site you gave

me

> > but haven't found anything yet. Fingers crossed though.
> >
> > Darren
> >
> > "Dan Vendel *GOF*" <see_my_signature_@_the_bottom_of_the_post.com> wrote

> in

> > message news:bg2ppn$5vh$9@forums.macromedia.com...

> > > Mintyman wrote:
> > >
> > > > Hi there,
> > > >
> > > > I have been looking around the web but can't find a definite answer

to

> > this

> > > > one:
> > > >
> > > > I have a number of documents (.pdf's and .doc's) that I want only

> logged

> > in

> > > > users of a site to gain access to. The links to these files sits in

a

> > page

> > > > that is only accessible to users logged in. However, like your

> problem,

> > if

> > > > someone knew the full URL (e.g.

> [url]http://www.mysite/members/docs/XXXX.pdf[/url])

> > > > then it would let them gain access.
> > > >
> > > > How can I do this. I think I need to store the files outside the

root

> > > > directory of the site and use some sort of script but I don't have a

> > clue

> > > > how.
> > > >
> > > > I am using Win 2000, IIS 5.0 and ASP
> > > >
> > > > Thanks,
> > > >
> > > > Darren
> > > >
> > > >
> > >
> > >
> > > Darren,
> > >
> > > Check with your host first. They usually have some kind of script
> > > preinstalled that'll restrict access and prevent download by using

e.g.

> > > .htaccess files. If that's the case, all you have to do is to select

the

> > > folder and actiavte the script.
> > >
> > > Else, go to e.g. [url]www.hotscripts.com[/url] and look for something that'll fit
> > > your needs. There are heaps of both commercial and free scripts there.
> > >
> > >
> > >
> > > --
> > > Dan Vendel - *GOF*
> > > [url]http://www.vendel.info[/url]
> > > Contact me directly by clicking here:
> > > [url]http://contact.vendel.info[/url]
> > > Formmail tutorial:
> > > [url]http://www.vendel.info/tut/formmail.html[/url]
> > > Nested table demonstration:
> > > [url]http://www.vendel.info/tabletut/[/url]
> > >

> >
> >

>
>

[Mintyman]

Hi Julian,

Thanks for that link. I read the article and, while it is good, doesn't
address the fact that the files will still physically sit within the root of
the website. Thus, someone could still guess the full URL of the file. The
only way I can see round this is to store the files outwith the root
directory of the site and use some sort of linking to reference them locally
(just like an ODBC connector for the database that runs the site - it sits
outside the root directory). Apart from that, the article does cover some
nice points.

Darren

"Julian Roberts" <newsgroup@charon.co.uk> wrote in message
news:bg2u78$3t9$1@forums.macromedia.com...

> Try this
>
> [url]http://www.4guysfromrolla.com/webtech/081199-1.shtml[/url]
>
> --
> Jules
> -----
> Charon Cart 3
> [url]http://www.charon.co.uk/charoncart[/url]
>
>
>
> Mintyman wrote:

> > Hi there,
> >
> > I have been looking around the web but can't find a definite answer
> > to this one:
> >
> > I have a number of documents (.pdf's and .doc's) that I want only
> > logged in users of a site to gain access to. The links to these files
> > sits in a page that is only accessible to users logged in. However,
> > like your problem, if someone knew the full URL (e.g.
> > [url]http://www.mysite/members/docs/XXXX.pdf[/url]) then it would let them gain
> > access.
> >
> > How can I do this. I think I need to store the files outside the root
> > directory of the site and use some sort of script but I don't have a
> > clue how.
> >
> > I am using Win 2000, IIS 5.0 and ASP
> >
> > Thanks,
> >
> > Darren

>
>
>

[Julian Roberts]

No, the gist of the article is that only the name of the file is revealed to
the user. If your files are sitting in

yoursite.com/ytr65rttndgghd3543/

then nobody will guess the folder name

--
Jules
-----
Charon Cart 3
[url]http://www.charon.co.uk/charoncart[/url]



Mintyman wrote:

> Hi Julian,
>
> Thanks for that link. I read the article and, while it is good,
> doesn't address the fact that the files will still physically sit
> within the root of the website. Thus, someone could still guess the
> full URL of the file. The only way I can see round this is to store
> the files outwith the root directory of the site and use some sort of
> linking to reference them locally (just like an ODBC connector for
> the database that runs the site - it sits outside the root
> directory). Apart from that, the article does cover some nice points.
>
> Darren
>
> "Julian Roberts" <newsgroup@charon.co.uk> wrote in message
> news:bg2u78$3t9$1@forums.macromedia.com...

>> Try this
>>
>> [url]http://www.4guysfromrolla.com/webtech/081199-1.shtml[/url]
>>
>> --
>> Jules
>> -----
>> Charon Cart 3
>> [url]http://www.charon.co.uk/charoncart[/url]
>>
>>
>>
>> Mintyman wrote:

>>> Hi there,
>>>
>>> I have been looking around the web but can't find a definite answer
>>> to this one:
>>>
>>> I have a number of documents (.pdf's and .doc's) that I want only
>>> logged in users of a site to gain access to. The links to these
>>> files sits in a page that is only accessible to users logged in.
>>> However, like your problem, if someone knew the full URL (e.g.
>>> [url]http://www.mysite/members/docs/XXXX.pdf[/url]) then it would let them gain
>>> access.
>>>
>>> How can I do this. I think I need to store the files outside the
>>> root directory of the site and use some sort of script but I don't
>>> have a clue how.
>>>
>>> I am using Win 2000, IIS 5.0 and ASP
>>>
>>> Thanks,
>>>
>>> Darren

[Mintyman]

Hi Julian,

I completely missed that! must've been dreaming of the weekend already! I
suppose in practice nobody SHOULD guess the exact URL but it's still not
watertight. I wonder if the leeching programs would still bea ble to pick it
up?


"Julian Roberts" <newsgroup@charon.co.uk> wrote in message
news:bg378e$l7m$1@forums.macromedia.com...

> No, the gist of the article is that only the name of the file is revealed

to

> the user. If your files are sitting in
>
> yoursite.com/ytr65rttndgghd3543/
>
> then nobody will guess the folder name
>
> --
> Jules
> -----
> Charon Cart 3
> [url]http://www.charon.co.uk/charoncart[/url]
>
>
>
> Mintyman wrote:

> > Hi Julian,
> >
> > Thanks for that link. I read the article and, while it is good,
> > doesn't address the fact that the files will still physically sit
> > within the root of the website. Thus, someone could still guess the
> > full URL of the file. The only way I can see round this is to store
> > the files outwith the root directory of the site and use some sort of
> > linking to reference them locally (just like an ODBC connector for
> > the database that runs the site - it sits outside the root
> > directory). Apart from that, the article does cover some nice points.
> >
> > Darren
> >
> > "Julian Roberts" <newsgroup@charon.co.uk> wrote in message
> > news:bg2u78$3t9$1@forums.macromedia.com...

> >> Try this
> >>
> >> [url]http://www.4guysfromrolla.com/webtech/081199-1.shtml[/url]
> >>
> >> --
> >> Jules
> >> -----
> >> Charon Cart 3
> >> [url]http://www.charon.co.uk/charoncart[/url]
> >>
> >>
> >>
> >> Mintyman wrote:
> >>> Hi there,
> >>>
> >>> I have been looking around the web but can't find a definite answer
> >>> to this one:
> >>>
> >>> I have a number of documents (.pdf's and .doc's) that I want only
> >>> logged in users of a site to gain access to. The links to these
> >>> files sits in a page that is only accessible to users logged in.
> >>> However, like your problem, if someone knew the full URL (e.g.
> >>> [url]http://www.mysite/members/docs/XXXX.pdf[/url]) then it would let them gain
> >>> access.
> >>>
> >>> How can I do this. I think I need to store the files outside the
> >>> root directory of the site and use some sort of script but I don't
> >>> have a clue how.
> >>>
> >>> I am using Win 2000, IIS 5.0 and ASP
> >>>
> >>> Thanks,
> >>>
> >>> Darren

>
>

[Gary White]

On Mon, 28 Jul 2003 14:33:39 +0100, "Mintyman" <mintyman@ntlworld.com>
wrote:

>I completely missed that! must've been dreaming of the weekend already! I
>suppose in practice nobody SHOULD guess the exact URL but it's still not
>watertight. I wonder if the leeching programs would still bea ble to pick it
>up?

There is a good article at
[url]http://www.devshed.com/Server_Side/PHP/UserAuth/page1.html[/url].

While the article addresses PHP on an Apache server, the techniques
can be used anywhere.


Gary