Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security for opening Word/PDF documents 1

Status
Not open for further replies.
dexeloper

dexeloper

Programmer
Oct 26, 2004
162
GB
I realise I can put a link in an ASP/HTML file to a Word or PDF document and that document will be opened for the user. However, does anyone have any method for restricting access to certain documents? Is there a way of putting some sort of authentication in the link?
Thanks in advance.
 
Sort by date Sort by votes
They aren't. How could they be? A link is a link. That's what I'm asking. When getting data from a database you use a profile/password to connect, but a link ...
 
Upvote 0 Downvote
That is possible by assigning user rights on OS level. When the user clicks on a link, they will see a popup window asking for credentials.
This may work with few users/ intranet/ small company....
 
Upvote 0 Downvote
The users will already have signed in to the website. They won't want to log in to each document.
 
Upvote 0 Downvote
Signed in on OS level? What do you see with:
response.write Request.ServerVariables("LOGON_USER") ?


A signed user may see *all* documents?
if not, it sounds like an app i once made, where users are not allowed to simply retrieve PDF documents by guessing/ altering URL's....


 
Upvote 0 Downvote
Let's assume you know who the user is. The website is an extranet. They've signed in. How do you control access to documents in an internet folder with anchor links?
 
Upvote 0 Downvote
Let's assume you know who the user is. The website is an extranet. They've signed in. How do you control access to documents in an internet folder with anchor links?
Click to expand...

HOW DO YOU ATHENTICATE THEM???? HOW ARE THEY SIGNED IN?

^ what part of that do you not understand? It's not just me asking, foxbox asked the exact same question in a different format - did that not set off fireworks in your head that maybe it's an important question?

If you are not going to give an answer to a simple question, here's a simple answer.

Code: 
<% if user = "john.smith" %>
' active link
<% else %>
' no link
<% end if %>





--------

GOOGLE is a great resource to find answers to questions like "how do i..."


--------
 
Upvote 0 Downvote
Yes, yes. understand all that - BUT - what stops anyone opening the document by entering the correct path in their browser. What is the authentication (if any) embedded in the anchor link?
 
Upvote 0 Downvote
Yes, yes. understand all that - BUT - what stops anyone opening the document by entering the correct path in their browser. What is the authentication (if any) embedded in the anchor link?
Click to expand...

How do they know the path?

Why not change all the file names to GUIDs - that way the user won't be able to even guess them? Having a lookup table in your db linked to each guid for the file name can display a better description on the page.

Or you can tell us how your users are authenticated and maybe someone can help.


--------

GOOGLE is a great resource to find answers to questions like "how do i..."


--------
 
Upvote 0 Downvote
Renaming files to guids sounds a bit drastic, though I suppose it would achieve the objective.

The users are authenicated by logging in. Nothing unusual. My request concerns the anchor link but I don't think I'm getting anywhere with that. Thanks for your efforts.
 
Upvote 0 Downvote
so your problem is the one i guessed earlier:
"it sounds like an app i once made, where users are not allowed to simply retrieve PDF documents by guessing/ altering URL's...."

Roughly it works like this:
1. A table with userid-document_url combinations
2. This makes it possible only to show relevant links on the page
3. Those links are
Code: 
 <a href="show_document.asp?id=[tableid]">[name of document]</a>


4. In show_document.asp a check if the logon_user is allowed to use tableid
So the link show_document.asp?id=1 may work for me, but not for you. And when i try to be clever [show_document.asp?id=2] it may also not work.


5. We don't want to tell the user the path/name of the retrieved document, so actually i'm streaming the document to the users browser.









 
Upvote 0 Downvote
But if an authorised user leaves or tells someone else the path of a document that other person can enter that path directly into their browser. You call that secure?
 
Upvote 0 Downvote
All the users sees is a link with "show_document.asp?id="; no path/ no document name. The location (path/folder) and document is stored in the database table.
The program then STREAMS the file to the browser, so the user can't see the location etc. Of course you must do some additional security with that folder and yes: GUID filenames are good (i do that trick in another app with the photos).

 
Upvote 0 Downvote
Just to be clear foxbox are you storing the documents in the database or in a folder?
 
Upvote 0 Downvote
Good. I've never liked the idea of storing them in a database.

Many thanks for your suggestions on this. I'll have a go at your 'streaming' method and see where I get.

Thanks again.
 
Upvote 0 Downvote
But if an authorised user leaves or tells someone else the path of a document that other person can enter that path directly into their browser. You call that secure?
Click to expand...

The web and its content are only as secure as your users make it, you can try to add as much security as you want, but even if that doesn't work, what's to stop someone from printing the document and sending it to one of their friends? Or saving it, copying pasting it into another document....etc....

If I log onto facebook (as an example) and do a right-click/view properties of one of my friend's photos. I can forward that link to anyone and they can see that photo even though my friend has it set up so "only his friends can see his photos".

At least that was the case about 1.5 years ago when I tried it, maybe they've changed it somehow since then.





--------

GOOGLE is a great resource to find answers to questions like "how do i..."


--------
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Swi
  • Locked
  • Question
PDF Interrogation
Replies
0
Views
98
Swi
Swi
how2trainyourdragon
  • Locked
  • Question
Request.Server variables blank for classic ASP
Replies
12
Views
468
GriffMG
GriffMG
leifoet
  • Locked
  • Question
Convert Word text with images to html (problems)
Replies
1
Views
97
leifoet
leifoet
vamsikirank
  • Locked
  • Question
Fortify Scan For Classic Asp Application - Issue
Replies
2
Views
132
guitarzan
guitarzan
leifoet
  • Locked
  • Question
Form Method=Post =&gt; how to process options ?
Replies
0
Views
74
leifoet
leifoet

Part and Inventory Search

Sponsor

Back
Top