WebApp Sec mailing list archives

Re: Securing PDF file on a Website

From: Andrew van der Stock <vanderaj () greebo net>
Date: Sat, 23 Jul 2005 18:36:36 +1000

The Guide 2.0 (plug! plug!) suggests that you stream it back to theuser via an action in your code, rather than using security throughobscurity.


So instead of

http://www.example.com/foo.pdf

do:

http://www.example.com/viewpdf.{php,aspx,jsp}

and send in a form POST with the necessary details to detail *which*PDF they should be getting, check the authorization status and thencreate the PDF on the fly using PDFlib (or similar) and shoot it tothem by sending HTTP headers like Content-type and so on.


That way:

a) there are no files to be found by any means
b) authorization is enforced

c) you can process the PDFs Just In Time, rather than generating themfor everyone and hoping they will download it.


Andrew

On 23/07/2005, at 3:25 PM, echow () videotron ca wrote:

To all:
Is there a way that I can add access to a pdf file to a website ina secure way? What I was thinking was to require user name andpassword to access this very confidential file. I was also thinkingabout requiring the use of tokens and/or certificates.
The user group for this application is pretty low tech so mychallenge is to come up with something that is secure but reallystraightforward to use.
Any thoughts on how I would implement this would be most appreciated.

Regards,



Edmond

Current thread:

Securing PDF file on a Website echow (Jul 23)
- Re: Securing PDF file on a Website Andrew van der Stock (Jul 23)
  - Re: Securing PDF file on a Website Kurt Seifried (Jul 23)
- Re: Securing PDF file on a Website focus (Jul 23)
- Re: Securing PDF file on a Website Paul Laudanski (Jul 24)
- <Possible follow-ups>
- Re: Re: Securing PDF file on a Website andres . desa (Jul 23)
- Re: Re: Securing PDF file on a Website andres . desa (Jul 23)
- Re: Re: Securing PDF file on a Website andres . desa (Jul 23)
  - RE: Re: Securing PDF file on a Website Auri Rahimzadeh (Jul 23)