WebApp Sec mailing list archives
Re: Securing file access
From: Sean Radford <sradford () bladesystems co uk>
Date: Wed, 29 Sep 2004 15:23:01 +0100
And I guess a 3rd party app is not an option, lots around... (http://www.aegeus-technology.com/sw_about.htm is 1 I know of)
John M. L. wrote:I have a project that involves a members only area on web page on IIS. The members' only area is secured by a database (MS Access) so users areauthenticated by their name and some MD5 hash etc. I need to allow files (mostly PDFs) for download to authenticated users only. In my opinion thismeans that the files can not be stored in any www accessible folder(regardless of any renaming convention etc, I absolutely cannot have someone guess a file name to download). In order to access the files, the database would link a file to a unique id, so a page that validates the user would then give access to the file stored outside of the www on the server. Now, this is where the real question lies. How is this possible since the filesare not in a www accessible path, since a mere link to a file won't due. Any thoughts would be welcome. If I'm going about this completely wrongthat would be nice to no too :) Forgive me if the answer is simple, I'm aLinux fan and haven't used IIS etc for years. One more note: IIS, MS Access and VBScript are not my technologies ofchoice, but merely what I was given to work with. I also have very limitedcontrol over administering IIS. John www.recaffeinated.com
-- Dr. Sean Radford, MBBS, MSc sradford () bladesystems co ukhttp://bladesys.demon.co.uk/
Current thread:
- RE: Securing file access Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Sep 30)
- <Possible follow-ups>
- RE: Securing file access Scovetta, Michael V (Sep 30)
- Re: Securing file access Sean Radford (Sep 30)
- RE: Securing file access Beckner, Chad A (Oct 03)
- RE: Securing file access Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Oct 03)
- Re: Securing file access Joseph Miller (Oct 04)
- RE: Securing file access Adam Tuliper (Oct 12)
- RE: Securing file access Adam Tuliper (Oct 12)
- RE: Securing file access Michael Silk (Oct 04)