Re: Prevent security bypass

[c3rb3r <c3rb3r () sympatico ca>]

i see an easy solution, put your static stuff outside the web 's root 
thus in a directory not mapped with IIS and load your static documents 
with  your wrapper script right from this directory. I suppose u already 
have built up a wrapper somewhere for this purpose. this wrapper has 
just to be careful enough  to serve only authenticated sessions.
Gregory



Ulrich P. wrote:

> you could convert your webserver into an apache and then use 
> .htaccess-files to protect whole directory-trees.
> this may somehow seem to be a drastic solution, but in fact it's not. ;-)
> SCNR...
>
> no, to be seriuos. I'm not used to IIS, but there should also be a 
> simple method to do http-authentication and directory protection.
>
> as I can't provide you with details, I would recommend you a quick 
> google-search on that topic. that should help.
>
> or someone else wants to describe it to us...? (got nearly curious 
> now, I admit...)
>
> best regards,
>
> ulrich
>
>
>
> Chris Neil wrote:
>
> > I am new to this mailing list and so hope this conforms to the 
> > guidelines as
> > I read them.
> >
> > How do people address the issue of non-authenticated users requesting 
> > html
> > pages directly from a site without logging in?
> >
> > FYI. This is an IIS server. Our asp pages check the user is logged 
> > in, but
> > with html pages we cannot.
> > My only idea so far is to convert all our html pages to asp. Is there
> > anything less drastic?
> >
> >
> > Chris Neil
> >   Security Officer
> >   Chris.Neil () abs-ltd com
> > -------------------------------------------
> > ABS   Tel:     +44 (0) 1993 771221
> >   Fax:    +44 (0) 1993 775081
> > -------------------------------------------
> >
> >
> > .