Log-in protection for a direct type in of the file name

Forum Moderators: open

Message Too Old, No Replies

Log-in protection for a direct type in of the file name

Blelisa

2:22 pm on Jun 28, 2004 (gmt 0)

Hi All,
I have a page that has files on it that I do not want anyone to have access to. Currently to access this page through my website you have to enter a username and password to gain access to the downloads page. this works great.
however, just realized if someone were to direct type to the page like so:
www.****xxxx.xom/xxxxxx/filename.file
they can download the files. Is there anyway to lock this up?
Thanks for your help.

BlobFisk

2:26 pm on Jun 28, 2004 (gmt 0)

On the username and password entry, set some session variable and authenticate each page against this...

HTH

Blelisa

2:42 pm on Jun 28, 2004 (gmt 0)

Hi Blob,
Thanks for the quick reply!

Unfortunatley I did not write the .asp pages and this is new too me.
Where do I enter HTH?
I have a pre_chk.asp page, a chk_login.asp page, a bad_login.asp page and login page.
Sorry for being a pain!

HelenDev

2:49 pm on Jun 28, 2004 (gmt 0)

Would it not be simpler to use an .htaccess file and just put all the files you want to protect in the protected directory?

BlobFisk

2:51 pm on Jun 28, 2004 (gmt 0)

HTH = Hope This Helps! ;)

This is a very simplistic example. To set a session variable:

session("sessionVar") = "something"

and to retrieve it:

Dim gotSessionVariable
gotSessionVariable = session("sessionVar")

HTH

Blelisa

2:59 pm on Jun 28, 2004 (gmt 0)

Helen:

Will this stop anyone from being able to access the files by direct typing?

HelenDev

3:23 pm on Jun 28, 2004 (gmt 0)

Yes, as far as I know.

Blelisa

3:33 pm on Jun 28, 2004 (gmt 0)

I have all my documents that I need protected in a downloads file on my server. I have it protected so if you just type www.myurl/downloads it will ask you for your username and password however, if you type in www.myurl/downloads/filename is automaticlly starts downloading the file.
How do you stop this using the form you are suggesting or is there a tutorial you know of that can help me?
Thanks!

m_shroom

4:35 pm on Jun 28, 2004 (gmt 0)

In php I would use the login page to set a bizzar varible such as $fsdsf=87;
then protect the pages with;

if ( $fsdsf==87)
{ page contents}
else{error mesg;}

Hope this helps

john_k

4:44 pm on Jun 28, 2004 (gmt 0)

I have all my documents that I need protected in a downloads file on my server. I have it protected so if you just type www.myurl/downloads it will ask you for your username and password however, if you type in www.myurl/downloads/filename is automaticlly starts downloading the file.
How do you stop this using the form you are suggesting or is there a tutorial you know of that can help me?
Thanks!

Edit the security settings for the download folder. Remove "Everyone" and add Administrator/s and your own userid.

To restrict access to specific users of your website, then you will need to either: 1) add userids for each one (expensive route for Windows servers), or 2) build a custom solution that performs a database validation on the user and then streams back the requested file.

To do option 2) takes a bit of work. You will need to physically locate the files somewhere else (preferrably outside of the root structure of the website itself) and then utilize a 404 error handler to verify that the user is logged in and stream the file back.