I have NT 4.0 SP6 OS running NT option pack 4.0 IIS. I have a website made up of HTML, ASP, VBScript, and some JavaScript. I have some code which hits some Access databases. I want to keep websurfers from being able to download files from my server just by entering the url and the file name. EX: <A HREF=" TARGET="_new"> there anyway I can prevent this??
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
[b]How do I keep ppl from downloading files through their browser[/b] 1
- Thread starter Webrookie
- Start date
- Thread starter
- #2
Dear Webrookie,<br><br>Have you tried configuring IIS though the Microsoft Management Console to limit files to the types you allow access to, i.e.: .ASP, .HTM, .HTML, .DOC, etc. ?<br><br>If I remember correctly this can be done at the folder level.<br><br>Hope this helps<br>-pete
SandiRae
Technical User
I'm not sure if I can help or not, but where are they getting the name of your mdb? This can be put into a different directory, and called by an include file in a different directory, and those different directories can have directory browsing turned off, and then they can't get the names, so how can they download? <br>(Can you tell it's past my bed time?)
kirankumar
Programmer
In the first page of your web site, may be a login page in most of the cases,to which you allow all users to access,assign a value to session variable,may be the user's name.Now in each and every page, check for the null value of the session variable. If it is null, display a message like "Not authorised to view", and redirect the user to the home page or login page. If the session variable is not null then allow the user to view the file.At the end may be at log off page, assign a null value to the session variable. <br><br>I think you got what you want.
- Thread starter
- #6
I don't really want to have a login page...it's for public viewing.<br><br>And to answer a question above...they can't get the filenames....there is no directory browsing allowed...but if they were to just guess the filenames. I mean, I suppose I could come up with some intracate naming conventions, but that seems a little extreme...<br><br>The #include thing could work, I'll try that...
-
1
- #7
All you have to do to prevent people from downloading the database is don't put it in a directory that's accessible via HTTP. For example, assuming your default web site is in the c:\inetpub\ tree, just put your database in the c:\databases directory. Your program can open the database as long as you give the internet guest account write access to that folder, using NT user manager.<br> <p>nick bulka<br><a href=mailto:nick@bulka.com>nick@bulka.com</a><br><a href= > </a><br>
Also, if your using Access you can password protect it with a user name and password.. Then even if they did somehow guess your database name and path (which is so highly unlikely that unless you have such confidential data that the CIA is after it) they would have to have a user name and password.. So you have a few layers of security here you can add.. You can also do like the other poster said and add server side security, but I don't see the point if you have good page names that are hard to guess, have your browse permissions off using FP or VI to do so, and stick your files that you absolutely don't want visible in these folders.. In IIS you can also start a folder name with an underscore and this automatically will stop any browsing I do believe in that folder.. You can then put files in that folder.. I think you can still get at the files with your scripts, but browsing would not be allowed by default.. Don't quote me on that last one though..
Best Regards
Tim
Best Regards
Tim
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question