Re: Securing file access

[Subs <subs () steelesoftconsulting com>]

  Or in PHP which works just fine on IIS (even with forward slashes :)

function send_file($path, $name} {
  if(!$fp = fopen($path. $name, 'rb'))
    die('Unable to open '. $name);
  header('Content-Type: application/pdf');
  header('Content-Length: '. filesize($name));
  fpassthru($fp);
  exit;
  }

send_file('/some/non/www/path', 'mysecret.pdf');

> On 27 Sep 2004 at 11:57, John M. L. wrote:
>
> > I have a project that involves a members only area on web page on IIS.
> > The members' only area is secured by a database (MS Access) so users are
> > authenticated by their name and some MD5 hash etc.  I need to allow files
> > (mostly PDFs) for download to authenticated users only.  In my opinion this
> > means that the files can not be stored in any www accessible folder
> > (regardless of any renaming convention etc, I absolutely cannot have 
> someone
> > guess a file name to download).  In order to access the files, the database
> > would link a file to a unique id, so a page that validates the user would
> > then give access to the file stored outside of the www on the server.  Now,
> > this is where the real question lies.  How is this possible since the files
> > are not in a www accessible path, since a mere link to a file won't due.
> > Any thoughts would be welcome.  If I'm going about this completely wrong
> > that would be nice to no too :)  Forgive me if the answer is simple, I'm a
> > Linux fan and haven't used IIS etc for years.
> > One more note: IIS, MS Access and VBScript are not my technologies of
> > choice, but merely what I was given to work with.  I also have very limited
> > control over administering IIS.
> >
> > John
> > www.recaffeinated.com
> >
> Hi John,
>
> You are going about this the right way.
>
> Store the PDFs outside the www root, but still give the user ISR_<computer 
> name>
> permission to read the files ( or whatever user your site is running 
> under).  Once the
> web user has authenticated, your script can read the PDF into memory then 
> stream
> the file to the user.  A simple example is below:
>
> <%
>
> set fs=server.createobject("Scripting.filesystem")
>
> set PDFin=fs.opentextfile(pathtoPDF,1,false)
> PDF=PDFin.readall
> PDFin.close
> set PDFin=nothing
>
> Response.contenttype="application/pdf"
>
> resonse.binarywrite StrToBin(PDF)
>
> response.end
>
> function StrToBin(str)
>         for x=1 to Len(str)
>                 StrToBin=StrToBin & ChrB(Asc(Mid(str,x,1)))
>         next
> end function
>
> %>
>
> You may not need to use the StrToBin function - I can't remember off the 
> top of my
> head ;)
>
> Regards
>
> Ian
> --