Forum Moderators: phranque
I started with some simple text and a link, so when the user clicks on the link, the spreadsheet opens up. At this point the user can now see the address and name of the spreadsheet in the address bar.
Next I decided I wanted to protect this some. I created a page with a form to enter a name and password. I have a validate.asp page that confirms the users name and password, then directs them a new page with the links or to an invalid user page. The page with the link is an .asp page that has a session variable to make sure the user logs in first. So they cannot just type in the address of the page with the link and do directly there.
Well this gets me part way there. The original problem still exists. Once they click on the link to the .xls file the user see's the address to the file. They can still type in the address to the file directly and get it w/o ever having to log in.
How can create a link to the file, and not expose its address.
That way visitors with the exact URL to the .xls file could not open it (unless they already knew the password) and they would still need to login to get the password itself before they could open the file.
Good info on .htacces can be found:
[javascriptkit.com...]
Good luck
.htaccess files - seems those are for apache servers. Do they run on a Win2000 Server? I believe that is the type server we are on at the webhost place.
Here is the suggestion from the guy at the webhost. He said he could disallow access to annonymous user for a specific folder. I could put the .xls files in there and people cannot access them unless they login. My curiosity about this approach is will the webpage that contains the links be able to access this w/o log in?
In this approach I was thinking I would put the login.htm, validate.asp, and noaccess.htm pages outside the protected folder. Have the access.asp page and the .xls inside the protected folder. Validate.asp would direct the user to access.asp if the login was ok. -- Will this work if the user browsing the site ( which I believe is annonymous ) does not have read access to the folder where access.asp resides?
As I understand this type of file or directory protection, when the directory or file is accessed a password box will be displayed by the server. The user must enter the correct password before that file can be accessed so that means that any page with a link to that file or directory will trigger the password box. When the password is entered, the file or directory will be made available.
The link to a protect directory must be outside that directory. If protecting only a file, the link location isn't that important.
If the server is providing the protection, be careful you don't end up with 2 requests for a password: one from the server and one from your asp page script.
As to the best method, it depends on if you want to prevent someone from downloading the file without permission or you only want to prevent someone from opening the file without permission.
Yes, .htaccess is only for apache and maybe some others. Window type servers have a configuration file that does the same thing but some hosts will not allow you access but may configure the file for you.
login.htm
validate.asp
link.asp
unautorized.htm
displayxls.asp
myfile.xls
The user logs in, if valid goes to link.asp otherwise unauthorized.htm. Inside link.asp is the text telling the user where to click, the link, and a ton of graphics, etc. The href points to displayxls.asp
In displayxls.asp is
Response.ContentType = "application/vnd.ms-excel"
Server.Execute(myfile.xls)
This displays the spreadsheet and the path is hidden from the address bar. It still shows displayxls.asp in the address bar, yet they see the speadsheet. -- They never see the name of the spreadsheet, and they never see the fact its in a different folder all together.
Notes: the .asp files all use a session variable so the user is forced to login. Yes the .xls files are still unprotected and the user could download them, if they could ever figure out the folder and file names which appear to be hidden from them.
Other than the obvious thing I pointed out, any holes in this?
Well this technique does have a little glitch in it. It works for some people and not for others.
For users that work -> When the user clicks on the link, the response.contenttype and server.execute code get ran. On working machines this appears to download the .xls file to the Temp Internet files dir under the disguised filename, and then automatically launches excel and/or displayed it right there in the browser. For users w/o excel I have been told they get the standard open with dialog and associate MSWorks ( for example ) with a .xls file and everything is fine.
For users that dont work -> The login the first time in my login screen. Then get to the links ok. When they click on the link, the server itself prompts them to login. Since they dont know our server login and password they are stuck.
The interesting part is, if they right click on the link and choose "save target as" and download the .xls file saved to the hard drive w/o opening a viewer at the same time they dont get any message. Then as a second step they can use Windows Explorer and click on the file and it opens just fine from the local machine. -- This is an ok workaround for now.
So the problem appears to be when you try the operation as a one step process. For some it works fine and others the server is trying to make them login. -- Difference in browser settings of some kind?
It seems like in one case the file is transferred from the server to the local machine, then opened so the server see's only an "annonymous user read" operation. Where other browsers are trying to open the file right from the server? This is a guess, but this would make it so the server would see an annonymous user doing more than just read priviledges. So it trys to make them login. -- This is my guess as to whats going on.
So the question becomes how can I tweak my 2 lines .asp script shown above to make it so it always does the transfer first? ( Assuming this is really the problem )
Or are there browser settings I can tell them to go change to make it all better?
Thanks again for all your help.
Sly
