Welcome to WebmasterWorld Guest from 54.224.63.26

Forum Moderators: incrediBILL

Message Too Old, No Replies

Log-in protection for a direct type in of the file name

     
2:22 pm on Jun 28, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:May 6, 2003
posts:200
votes: 0


Hi All,
I have a page that has files on it that I do not want anyone to have access to. Currently to access this page through my website you have to enter a username and password to gain access to the downloads page. this works great.
however, just realized if someone were to direct type to the page like so:
www.****xxxx.xom/xxxxxx/filename.file
they can download the files. Is there anyway to lock this up?
Thanks for your help.
2:26 pm on June 28, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member blobfisk is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 25, 2002
posts:3185
votes: 0


On the username and password entry, set some session variable and authenticate each page against this...

HTH

2:42 pm on June 28, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:May 6, 2003
posts:200
votes: 0


Hi Blob,
Thanks for the quick reply!

Unfortunatley I did not write the .asp pages and this is new too me.
Where do I enter HTH?
I have a pre_chk.asp page, a chk_login.asp page, a bad_login.asp page and login page.
Sorry for being a pain!

2:49 pm on June 28, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 28, 2003
posts:869
votes: 0


Would it not be simpler to use an .htaccess file and just put all the files you want to protect in the protected directory?
2:51 pm on June 28, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member blobfisk is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 25, 2002
posts:3185
votes: 0


HTH = Hope This Helps! ;)

This is a very simplistic example. To set a session variable:

session("sessionVar") = "something"

and to retrieve it:

Dim gotSessionVariable
gotSessionVariable = session("sessionVar")

HTH

2:59 pm on June 28, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:May 6, 2003
posts:200
votes: 0


Helen:

Will this stop anyone from being able to access the files by direct typing?

3:23 pm on June 28, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 28, 2003
posts:869
votes: 0


Yes, as far as I know.
3:33 pm on June 28, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:May 6, 2003
posts:200
votes: 0


I have all my documents that I need protected in a downloads file on my server. I have it protected so if you just type www.myurl/downloads it will ask you for your username and password however, if you type in www.myurl/downloads/filename is automaticlly starts downloading the file.
How do you stop this using the form you are suggesting or is there a tutorial you know of that can help me?
Thanks!
4:35 pm on June 28, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:June 3, 2004
posts:55
votes: 0


In php I would use the login page to set a bizzar varible such as $fsdsf=87;
then protect the pages with;

if ( $fsdsf==87)
{ page contents}
else{error mesg;}

Hope this helps

4:44 pm on June 28, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 3, 2003
posts:792
votes: 0


I have all my documents that I need protected in a downloads file on my server. I have it protected so if you just type www.myurl/downloads it will ask you for your username and password however, if you type in www.myurl/downloads/filename is automaticlly starts downloading the file.
How do you stop this using the form you are suggesting or is there a tutorial you know of that can help me?
Thanks!

Edit the security settings for the download folder. Remove "Everyone" and add Administrator/s and your own userid.

To restrict access to specific users of your website, then you will need to either: 1) add userids for each one (expensive route for Windows servers), or 2) build a custom solution that performs a database validation on the user and then streams back the requested file.

To do option 2) takes a bit of work. You will need to physically locate the files somewhere else (preferrably outside of the root structure of the website itself) and then utilize a 404 error handler to verify that the user is logged in and stream the file back.