Securing File Paths and File Names

<i><b>Originally posted by : Andrew</b></i><br />I've made a typical login page that after authentication, it lists files from a virtual directory for the user to download. The problem is that when the user clicks on the button to download a file(submitted through a form that redirects to that file), the user can see the actual location of it on the browser's status bar. This would mean that they could ignore the login section and go straight to the files. Even if I make all the pages secure using session variables or cookies, querystrings, etc... the files are still viewable. Is there a solution? Perhaps maybe besides direct downloading to the browser?(Can't seem to find much documentation... even on aspin) Help is EXTREMELY appreciated. <br /><br />

<i><b>Originally posted by : Ajay Dhunna (Ajay@AimproNet.com)</b></i><br />how about any of the following:<br /><br />a) A server side solution. You can call your ISP and ask them to password protect a whole sub directory. If anyone tries to access any file within this area they will require a password.<br /><br />b) Here's a clever solution:<br />1) Use the FileSystemObject to display the contents of that directory only.<br />2) Make the listings of each file a hyperlink which leads to one fixed page such as download.asp, passing into it the filename as a parameter.<br />3) Within download page, move the file from its current area into a temporary area. <br />4) Rename the file to some random filename.<br />5) Create a hyperlink, or a javascript window.href to that file now that its in the temporary area (which must have RWX permissions.). Periodically, or after each login, or 10 visits to your website etc, clear down that temporary area.<br /><br />Phew<br /><br />Aj<br /><br />------------<br />Andrew at 6/6/2001 2:23:21 AM<br /><br />I've made a typical login page that after authentication, it lists files from a virtual directory for the user to download. The problem is that when the user clicks on the button to download a file(submitted through a form that redirects to that file), the user can see the actual location of it on the browser's status bar. This would mean that they could ignore the login section and go straight to the files. Even if I make all the pages secure using session variables or cookies, querystrings, etc... the files are still viewable. Is there a solution? Perhaps maybe besides direct downloading to the browser?(Can't seem to find much documentation... even on aspin) Help is EXTREMELY appreciated. <br /><br />

<i><b>Originally posted by : Andrew</b></i><br />Thanks...it's a clever idea... I've thought about a similar one but the thing is it would be a killer on the server side when several users try to access it.<br /><br /><br />------------<br />Ajay Dhunna at 6/7/2001 6:05:05 AM<br /><br />how about any of the following:<br /><br />a) A server side solution. You can call your ISP and ask them to password protect a whole sub directory. If anyone tries to access any file within this area they will require a password.<br /><br />b) Here's a clever solution:<br />1) Use the FileSystemObject to display the contents of that directory only.<br />2) Make the listings of each file a hyperlink which leads to one fixed page such as download.asp, passing into it the filename as a parameter.<br />3) Within download page, move the file from its current area into a temporary area. <br />4) Rename the file to some random filename.<br />5) Create a hyperlink, or a javascript window.href to that file now that its in the temporary area (which must have RWX permissions.). Periodically, or after each login, or 10 visits to your website etc, clear down that temporary area.<br /><br />Phew<br /><br />Aj<br /><br />------------<br />Andrew at 6/6/2001 2:23:21 AM<br /><br />I've made a typical login page that after authentication, it lists files from a virtual directory for the user to download. The problem is that when the user clicks on the button to download a file(submitted through a form that redirects to that file), the user can see the actual location of it on the browser's status bar. This would mean that they could ignore the login section and go straight to the files. Even if I make all the pages secure using session variables or cookies, querystrings, etc... the files are still viewable. Is there a solution? Perhaps maybe besides direct downloading to the browser?(Can't seem to find much documentation... even on aspin) Help is EXTREMELY appreciated. <br /><br />