File Upload and SSL 1

[mwa]

I have written (copied/pasted) a little file upload application that uses the following code:

filename.PostedFile.SaveAs(sPath + strNewFileName)

Users will be uploading .txt files from their client machines to our server. The files contain sensitive data that needs to be secure. I need to know if by enabling ssl on the application, is the file that is uploaded secure also? If not, how would I secure the files?



mwa
<><

 

[dragonwell]

I think so, after all SLL encrypts the data transferred back and forth between browser and server, including data entered in form fields. The text file is just form-data, so that is encrypted too. Now, once you get it on the server you need to make sure it is saved in a secure location.

 

[mwa]

I hadn't thought about that. Any ideas as to the best way to handle securing the directory?

mwa
<><

 

[mcowen]

mwa's issue is what I am hunting for. The Web Server is clearly not the secure place for the file...our WS, as is usual, is outside the domain of the network where my database resides. I am trying to find a way to communicate across from the WS to my database server (via a firewall) in such a way so as the file uploaded is NOT saved on the web server. This functionality is offered by software such as FileUpEE but their product is too expensive for a pilot project.
I have been looking into .NET remoting. Does anyone have any advice for using this? I thought I could save the file in memory as a byte array and stream it to another .NET application residing on my database server. All this could use HTTPS so I'm not likely to expose my file locations to Joe public.

I havent come across any examples of this being done so am looking for advice.

TIA,

Matt

 

[ca8msm]

If you have a user that has permission to the network path that is your database server, could you impersonate a user that has this access and save the file in that folder?


____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 

[mcowen]

Cheers ca8msm, but how can I stream the data from the Web Server to the database server (this isnt ADO) as the upload takes place? There are memory management issues with ASP.NET (v1 that is I dont know about v2) that mean I cant load uploads into memory on the WS because if the memory usage gets to 60% of available RAM the ASP.NET process is reset and I lose my service.
To do what I want I cant see any other way than to have a .NET app on the db server that listens to requests for file transfer and writes the data to disk.

Just dont know how to do this.

Matt

 

[ca8msm]

I'm not sure that you do have to stream it do you? Wouldn't you just do something like:

' Start Impersonation
myFileUpload.PostedFile.SaveAs("\\mydatabaseserver\" & strNewFileName)
' End Impersonation

That way, you have the file in memory from when it was posted, then you start to use account that does have access to the database server and save the file. Then you end the impersonation so that the file can no longer be accessed.


____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.