WebApp Sec mailing list archives
Re: Securing file access
From: PD9 Software <info () pd9soft com>
Date: Tue, 28 Sep 2004 08:55:57 -0500
John M. L. wrote:
agree with this approach.In order to access the files, the database would link a file to a unique id, so a page that validates the user would then give access to the file stored outside of the www on the server. Now, this is where the real question lies. How is this possible since the files are not in a www accessible path
The best way is to create a file that does two things: 1. Checks that the user is authenticated 2. Reads the file from the filesystem and hands it back to the client.Typically I have accomplished this through reading the otherwise inaccessable file using either the FilesystemObject or ADO's Stream object, then using response.binarywrite to send it back to the browser.
While there are almost certainly other approaches that will work as well or better, I have done it this way in the past, and if you would like some sample ASP code to look over, I can send it to you off the list.
-- Matt SummersPD9 Software, Inc
http://www.pd9hosting.com / Hosting & Design http://www.pd9soft.com 4520 Moorfield Ln Fort Wayne, IN 46816(815)642-9367 - Fax
Current thread:
- Securing file access John M. L. (Sep 27)
- Re: Securing file access Saphyr (Sep 29)
- Re: Securing file access Jason Merriman (Sep 29)
- Re: Securing file access Ian (Sep 29)
- Re: Securing file access Subs (Sep 30)
- RE: Securing file access Koen Vingerhoets (Sep 29)
- Re: Securing file access PD9 Software (Sep 29)
- Re: Securing file access Ben Timby (Sep 29)
- Re: Securing file access robbin (Sep 30)
- Re: Securing file access James Barkley (Sep 30)
- <Possible follow-ups>
- Re: Securing file access robbin (Sep 28)
- Re: Securing file access Ido Rosen (Sep 29)
- RE: Securing file access BĂ©noni MARTIN (Sep 28)
- RE: Securing file access Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Sep 29)
- RE: Securing file access Booth, Simon (Sep 29)
- RE: Securing file access Shields, Larry (Sep 29)
- RE: Securing file access Beckner, Chad A (Sep 30)
- Re: Securing file access Saphyr (Sep 29)