RE: Controlling access to pdf/doc files

["Paulus Widodo" <paulus.widodo () ai astra co id>]

Hi,

You can use Microsoft Rights Management Server. For more information re RMS
look at:

http://www.microsoft.com/rms/

Regards,
=paulus=

-----Original Message-----
From: Sangita Pakala [mailto:sangita.pakala () paladion net] 
Sent: Tuesday, February 24, 2004 10:22 PM
To: webappsec () securityfocus com
Subject: Controlling access to pdf/doc files

Hi,

Could I have the list's thoughts on an answer we are preparing for the next
version of the AppSec FAQ at OWASP.
 
Question - How can I ensure my application allows only authenticated users
access to files like *.pdf or *.doc?

Issue - Suppose a web site, say a bank site, displays the user's account
statement as a .doc file. What if someone tries to access this file by
typing its full URL into the address bar? How does the application check
whether the user trying to access the file is the authenticated user and
that the session has not expired? 

Solution - One solution is to have a random number for the name of the file
or the folder containing it. This random number could even be related to the
session token of the user. This file/folder should then be deleted as soon
as the user's session has expired.

Are there better methods available to address this issue? Can the web server
run a server side program to verify the session token before serving the
final GET request for the file? 


Thanks,
Sangita.

OWASP AppSec FAQ
http://www.owasp.org/documentation/appsecfaq

Paladion Networks
http://www.paladion.net