How to prevent web user to access file unless they log on website 1

[BG12424]

Let's say that I have a file called

http://www.mysite.com/static/files/myproduct.zip

stored on the webserver, but I don't want any user to be able to reference that file unless they are logged in or registered on my website.

1) Should I store files that shouldn't be referenced by all users on the webserver? Or should I store them rather on the harddrive of the server where IIS sits?
2) If my file can be stored on the webserver, then how can I prevent users from accessing that file without first logging in to my website first?

Please advise to my scenarios, thanks. regards,
Brian

 

[koquito]

Right click on the site or virtual directory properties, and deselect anonymous access, and select INtegrated Windows Authentication. YOu have to make sure the user has the user account on your Domain, otherwise it wont work.
If you do this to an entire web site, it will prompt all the users from teh evry beginning, but if you rather use a Virtual directory within the site and put the file there, it will just prompt for user name and password only when accesing this particular directory.
I hope this helps you. A+, MCP, CCNA
marbinpr@hotmail.com

"I just know that I know nothing"
Socrates (469-399 B.C.E.)

 

[BG12424]

If this is the case, then how would I be able to associate the user's login/password from a web form to the user name in windows (by right-clicking...) in efforts to authenticate them for accessing the file?

I have an internet application, not an intranet application, so I would not have an account setup specifically for that user. Am I missing something here? Thanks regards,
Brian

 

[koquito]

From your configuration I wopuld recommend to put the file in a virtual directory. (You can make virtual directories while in IIS console).
I missed something in my last post. My last post is only to ensure porper authentication, but as you say you need something that links the user account to the rights it has over the file.
*Well, to do that, only go to the folder where the file resides(it will be the virtual directory), and give the proper rights to the user (NTFS and sharing)
My first post will avoid unauthorized users to access the virtual directory or files on it, and by doing * above, after the suer is authenticated it will look for what rights the user has over the resource.
But for all this the user acount must be enabled on the server.
Got it? A+, MCP, CCNA
marbinpr@hotmail.com

"I just know that I know nothing"
Socrates (469-399 B.C.E.)

 

[BG12424]

I apologize, but I am new to security in IIS, therefore, I might better learn if I had some resource, article, etc. to read from the web.

Do you know any good articles on the web that explain how to configure file structure to allow only for users logged onto a website (using simple username,password checks from an Access DB), then giving that user permissions to download a file. Anyone else out there that is not logged into the website using the above mentioned verification routine (including search engines, spiders, robots, etc) will not be able to download the file. regards,
Brian

 

[ITProfessional]

Hi,
If i understand is correct, You cannot do it from IIS. IIS always use OS security user ID and password. So unless , this user has an account on your domain, you cannot use it for security purpose. Now for a website registration user, you cannot create unlimited user account on your OS.
For this you need a database to get the register users. Once they are register you would have theier userid and password information in the database.
the next thing you should ask your web-developer to use ASP programing to show this page (which have the file) differently for the users.
for. e.g. if the user is logged in then show this file as a link and if the user is not logged in either donot show this file or show only text no link,
it is little bit complex but this is a very standard thing.

 

[BG12424]

No, this is not what I am wanting to do. I am the one developing this, and I know how to display/not to display records based on user registration. There is a flaw in what you are telling me and my post above, and that is, once the user can see the file, they then have the path to that file to give to friends. The friends will then be able to reference that file directly without having to log into the system. This is what I am trying to avoid. Thank you ________________________________________________________________________
Are you trying to debug your ASP applications? See faq333-3255 for more details

regards,
Brian

 

[koquito]

that is true, and if my memory is right, the name is file or folder transversing. Anyways, it can be avoided if you add security to the lowest possible level. IF the inmidiate folder containing the file has the proper restrictions that situation of what you are talking about wont happen.
Seems like you have in the path, like two or more folders before you get to the file, and the security is only applied to the upper folders, not to the one right above the file. A+, MCP, CCNA
marbinpr@hotmail.com

"I just know that I know nothing"
Socrates (469-399 B.C.E.)

 

[bunnyweb]

Hi Brian,

Were you able to resolve your problem? I have the exact same issue. I would love to hear what your solution was.

Thanks,
Rachel

 

[BG12424]

Is there a website that gives specific instructions, maybe even with screenshots that explains the setup process for what I am trying to accomplish? Thanks for everyones input. ________________________________________________________________________
Are you trying to debug your ASP applications? See faq333-3255 for more details

regards,
Brian

 

[BG12424]

FYI,

http://www.imany.com/resources/materials_collat.asp

This is what I am trying to accomplish and wanting to know how it is done. Hover over the link of the file that will be downloaded, when the file is downloaded, the path to the file is still hidden. ________________________________________________________________________
Are you trying to debug your ASP applications? See faq333-3255 for more details

regards,
Brian

 

[palbano]

Brian,

My guess is that they set the context-type to "whatever/pdf" (the correct value for a pdf file) then they stream the data directly to the browser as the response body of the HTTP response.

If so then there is no "path" to the file that is sent to the browser.

does that help?

-pete

 

[BG12424]

So, in theory, if I have a zip file, as in my first post, somewhere on the webserver, and I specify the path in the database, then use the context-type "whatever/zip" (the correct value for a zip file), then I could get the same results and not have to worry about the user seeing the paths to my download files? ________________________________________________________________________
Are you trying to debug your ASP applications? See faq333-3255 for more details

regards,
Brian

 

[stinglv]

Brain,

I am not sure if this will help but what I have used is Authentix software from Flicks software at

http://www.flicks.com/.

This allows me to protect my files, pictures, web contect, etc. without having to use the OS security. It has its own interface for users and groups. It will also help you keep take of usage too. So if someone gives out the password to
their friends and everyone logs on using the same account it will protect you from this. I use it for two reasons... one for some of my sites that have members areas and the other is for my techs to login via the web to update their time sheets.

It was alittle high in price but well wroth it to me.

Brad Roberts
MCSE+I and CNE

 

[palbano]

Brian,

I lost track of this thread, and just found it again. Do you feel you have an understanding of this issue?

To answer you last post, yes, that is what I was saying. It does not matter where the file is located, no path to the file in any form is ever sent to the browser, just the binary data of the file itself after setting the content-type header appropriately so the browser knows what type of data is being sent. This is exactly what the web server does when you place a link to a .zip file in a HTML page and the user clicks it.

-pete

 

[BG12424]

Paul,

Thanks and yes, I think I understand now. Star for you!

Everyone,
I think I have what I need for now. As long as I can have a path stored in the database, then reference that path to download the file without the end user seeing what path that file came from, I'm happy; and I think I am going to be able to do this by using Pete's reply.
________________________________________________________________________
Are you trying to debug your ASP applications? See faq333-3255 for more details

regards,
Brian

 

[BG12424]

Sorry Pete, I called you Paul, which is my brother's name and I always correlate palbano to Paul. My bad... ________________________________________________________________________
Are you trying to debug your ASP applications? See faq333-3255 for more details

regards,
Brian

 

[palbano]

>> I called you Paul,

happens all the time B-) glad i helped.

-pete