I have a dir on my server that has 1

[glenmac]

I have a dir on my server that has dir listing enabled. I want this enabled so all I have to do is add files to be viewed by clients. I have an asp password page that links to the dir and sets a cookie on the clients machine.
What I'd like to do is have a default page in the dir that makes sure the cookie is set before opening the dir for viewing. I tried using default.asp page in the dir to check for the cookie it works fine but when I have it in there the dir is not visible. I realize this is proper but is there a way to make the dir visible only if the client has the cookie? this is the code for the pages;

Password Page

<%Language=VBScript%>
<html> 
<head><title>PicturesPassword</title></head> 
<body bgcolor=&quot;#333399&quot;  text=&quot;#CCCCCC&quot; link=&quot;#009900&quot; vlink=&quot;#0099CC&quot;>
<div align = &quot;center&quot;>
<p> Enter your name and password</p> 

<form method=&quot;post&quot; action=&quot;/picsPW.asp&quot;> 
Your name: <input type=&quot;text&quot; name=&quot;name&quot; size=&quot;20&quot;><BR> 
Your Password: <input type=&quot;password&quot; name=&quot;pass&quot; size=&quot;15&quot;><BR> 
<input type=&quot;Submit&quot; value=&quot;Submit&quot;> 
</form> 
</div>
<!--#include virtual=&quot;/274/Glens_IncludeA.asp&quot; -->
</body> 
</html>

Verification page

<%Language=VBScript%>

<html>
<head>
<title> Password Checker</title>
</head>
<body>
 <!--#include virtual =&quot;\274\Glens_IncludeA.asp&quot;-->

 <%
OK = Request.form(&quot;pass&quot;) 
response.cookies(&quot;Client&quot;)=&quot;test&quot;
response.cookies(&quot;Client&quot;).expires = date + 1
Session(&quot;userID&quot;)= OK
 Dim MyArray(4,1),password,name,i,test


 password = request.form(&quot;pass&quot;)
 name = request.form(&quot;name&quot;)

 MyArray(0,1) = &quot;Karen&quot;		
 MyArray(1,1) = &quot;Paul&quot;
 MyArray(2,1) = &quot;Janet&quot;
 MyArray(3,1) = &quot;Rita&quot;
 MyArray(4,1) = &quot;Glen&quot;

 MyArray(0,0) = &quot;Karen&quot;		
 MyArray(1,0) = &quot;Paul&quot;
 MyArray(2,0) = &quot;Janet&quot;
 MyArray(3,0) = &quot;Rita&quot;
 MyArray(4,0) = &quot;Glen&quot;


	for i = 0 to 4						
	 If MyArray(i,1) + MyArray(i,0) =  name + password Then	
  	  test=true
          Exit For
	 End If
	next
	

	If test = true then
	
 	response.addheader&quot;Refresh&quot;,&quot;5;URL= [URL unfurl="true"]http://www.Myserver.com/Pictures&quot;[/URL]
	Else
 	 response.addheader&quot;Refresh&quot;,&quot;5;URL= PicsPW2.htm&quot;
	end if
response.write &quot;Hi &quot;&name&&quot; Checking you're password, If correct You'll see the pics in 5 seconds.&quot;

 %>

</body>
</html>

page in the dir

<%Language=VBScript%>
<html><head><title> Validate</title></head><body>
<%
If request.cookies(&quot;Client&quot;)=&quot;&quot; then
Response.redirect &quot;[URL unfurl="true"]http://www.myserver/PicturesPassword.htm&quot;[/URL]
end if%>
</body>
</html>

All help will be greatly appreciated.

 

[jemminger]

glenmac,

if you specify a default page for a directory, that page will be displayed and you'll lose the directory listing that the server generates.

you can overcome this simply by listing links for every file in that directory:

<%
Dim objFS, objFolder, strPhysPath, strScrNam, strThisFold, File, Folder

Set objFS = Server.CreateObject(&quot;Scripting.FileSystemObject&quot
strPhysPath = Request.ServerVariables(&quot;APPL_PHYSICAL_PATH&quot
strScrNam = Request.ServerVariables(&quot;SCRIPT_NAME&quot
strThisFold = strPhysPath & Left(strScrNam,InstrRev(strScrNam,&quot;/&quot-1)
Set objFolder = objFS.GetFolder(strThisFold)

For each Folder in objFolder.Subfolders
Response.Write(VbCrLf & &quot;<a href='&quot; & Folder.Name & &quot;'><b>&quot; & Folder.Name & &quot;</b></a><br />&quot
Next

Response.Write(VbCrLf & &quot;<dl>&quot

For each File in objFolder.Files
Response.Write(VbCrLf & &quot;<dd><a href='&quot; & File.Name & &quot;'>&quot; & File.Name & &quot;</a></dd>&quot
Next

Response.Write(VbCrLf & &quot;</dl>&quot
%>





=============================================================================== =========================================================
if (!succeed) try();
-jeff

 

[glenmac]

Thanks for the input I realy appreciate it. A Star for you!!!

 

[GabeC]

One important point to remember is that your actual files are not password protected in this scenario, only the directory listing. If someone can guess the name of a file, they can still get to it without logging in.

The way I have gotten around this in some of my applications is to have a directory on your web server that is not part or your web(Ex. d:\files). Then this default.asp page lists the files in the d:\files directory. Since the d:\files directory is not part of your web, the users on the internet can not get to them. You would then create a getFile.asp page that takes in the name of the file the user is trying to get and returns it to them. The getFile.asp page would also check to ensure the user has logged in.

To accomplish this, in getFile.asp you would open the file, read it into an object and then execute are Response.BinaryWrite to get the user the file. Or you could use a COM object such as Infomentum’s ActiveFile.

http://www.infomentum.com/activefile/

Thanks,

Gabe

 

[jemminger]

Gabe,

good point - I've used this same technique, though I simply use the CopyFile method of the FileSystemObject to copy the file from the safe directory to a web-accessible directory, and DeleteFile when the page is unloaded.

=========================================================
if (!succeed) try();
-jeff