Forum Moderators: open
I have an ASP site set-up running on IIS 5.0. The user is required to login
in order to have access in some pages to see the links to downloadable
files. There is a check on these pages (using server behaviours) to ensure
that the user is logged in, if not they are redirected back to the login
page.
The problem is if the user knows the full url of the downloadable files
(.mpg format), they can access the files because there are no checks.
Is there a way of stopping a user typing in a full url and accessing the
downloaded files directly?
Thanks in advance,
P.S. I know that it's an IIS issue but if someone knows about it I would
appreciate it.
Denis
If you put the .mpg's in a password protected
directory then only logged in users should be
able to get at them. You have your choice of
digest or basic authentication. However, if
you are using a homegrown login system, then
I can see your problem.
At least basic authentication would solve your
problem, or is it a limitation of the media
players involved?
If that is the case there is a new isapi filter
available that can help you out because it
rewrites outbound and inbound url's from
protected directories and expires those url's
in 30 minutes. In other words, cheaters have
only have a 30 minute window.
Having read the charter, I notice that it does
not prohibit the posting of url's. However,
I am still a little leery of doing so. As
a compromise I will send you to two demo sites
where you can find your way further. They are:
<removed>
and
<removed>
<snip>
Spenser
ps. To all the welcomes, thanks!
[edited by: Xoc at 6:07 pm (utc) on June 23, 2003]
You are right about the password protected directory. But if I do this (...I have to contact my hosting company first), then the logged user has to use one more username and password in order to have access to the protected directory...Am I right to this?
I have a made the login page using the login server behaviour of the Dreamweaver Mx.
I don't have problems with the players as I only want to have downloadable video files..
I read somewhere else to put the files in a directory outside the root and use some http headers to access them without the url be revealed. Is it possible? If "yes" how can I do this?
P.S. I am a little bit newby..
Thanks again
Denis
If you could combine the password protection
with asp generated pages that check privileges
*AND* the hotlinking isapi then you would have
the perfect solution.
A file could then only *leak* through a
logged in user who also shared the url.
Hopefully, that is unlikely.
Did you at least try the demonstration?
