WebApp Sec mailing list archives
RE: Securing file access
From: "Koen Vingerhoets" <koen.vingerhoets () ubench be>
Date: Tue, 28 Sep 2004 09:13:56 +0200
Hi, there isn't much difference here between the browsers... You'll need a virtual director on IIS. http://www.zerog.com/ianetmanual/IISVDirs_O.html Make sure to make it READ ONLY if Internet users don't have to write there. Koen -----Original Message----- From: news [mailto:news () sea gmane org]On Behalf Of John M. L. Sent: Monday, September 27, 2004 5:57 PM To: webappsec () securityfocus com Subject: Securing file access I have a project that involves a members only area on web page on IIS. The members' only area is secured by a database (MS Access) so users are authenticated by their name and some MD5 hash etc. I need to allow files (mostly PDFs) for download to authenticated users only. In my opinion this means that the files can not be stored in any www accessible folder (regardless of any renaming convention etc, I absolutely cannot have someone guess a file name to download). In order to access the files, the database would link a file to a unique id, so a page that validates the user would then give access to the file stored outside of the www on the server. Now, this is where the real question lies. How is this possible since the files are not in a www accessible path, since a mere link to a file won't due. Any thoughts would be welcome. If I'm going about this completely wrong that would be nice to no too :) Forgive me if the answer is simple, I'm a Linux fan and haven't used IIS etc for years. One more note: IIS, MS Access and VBScript are not my technologies of choice, but merely what I was given to work with. I also have very limited control over administering IIS. John www.recaffeinated.com
Current thread:
- Securing file access John M. L. (Sep 27)
- Re: Securing file access Saphyr (Sep 29)
- Re: Securing file access Jason Merriman (Sep 29)
- Re: Securing file access Ian (Sep 29)
- Re: Securing file access Subs (Sep 30)
- RE: Securing file access Koen Vingerhoets (Sep 29)
- Re: Securing file access PD9 Software (Sep 29)
- Re: Securing file access Ben Timby (Sep 29)
- Re: Securing file access robbin (Sep 30)
- Re: Securing file access James Barkley (Sep 30)
- <Possible follow-ups>
- Re: Securing file access robbin (Sep 28)
- Re: Securing file access Ido Rosen (Sep 29)
- RE: Securing file access BĂ©noni MARTIN (Sep 28)
- RE: Securing file access Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Sep 29)
- RE: Securing file access Booth, Simon (Sep 29)
- RE: Securing file access Shields, Larry (Sep 29)
(Thread continues...)
- Re: Securing file access Saphyr (Sep 29)