File Level access through IIS and ASP

Results 1 to 2 of 2

Thread: File Level access through IIS and ASP

  1. #1
    Join Date
    Dec 1969

    Default File Level access through IIS and ASP

    I have an ASP Intranet Web Application where users upload their files. The files can be text, doc or anything. The users logins and passwords are in a database and i have knowledge of which user uploaded which file in the database. Now i want that the user who uploaded the file should be the only one who is able to access it.Eg users A and B upload two files a.txt and b.txt respectivel and i store them in the root directory at and respectively. Now i want that only user a should be able to access a.txt and should not be able to access b.txt. similarly for user b. Cookies are enables and i have a function which tells me if the user has access to it or not. But if i set read permission of directory "uploadedfiles" to true, then if a knows the url of b.txt and writes it, he will be able to read it. But if i set the read access to false nobody will be able to access it. Since user accounts are different from windows accounts, i can&#039;t even use IIS NT challenge response or basic Authentication. <BR>The only relevant page i have found is which says that i will have to make my own filter and work with IIS. All i want is that i should restrict access based on users which are not integrated with windows accounts and have different file access for different files. Can&#039;t i do it in any other way.<BR><BR>Thanks and Cheers<BR>Jasdeep

  2. #2
    Join Date
    Dec 1969

    Default RE: File Level access through IIS and ASP

    You store the files either off-site, or in a database. Off-site means in a folder that is not accessible via HTTP. If you don&#039;t want to store the file as a binary blob in the database, you stor it off-site, and you store its file path in the database, along with its Content-type (eg text/html, image/gif). Then you write an asp script which accepts the userID and file name (or fileID) as params either throught QueryString or form-post. The script then checks the database to see if the user owns the file. If so, then it sets the content type of the output (Response.ContentType), opens the file via the Scripting.FileSystemObject, and reads it as binary, and replays it to the output via Response.BinaryWrite. You can also cause the returned stream to have a filename (eg yourfile.txt), by setting other headers via Response.AddHeader method. <BR><BR>If you store the files a db binary blobs, then the only difference is that you retreive the file contents from the database field, and output as above.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts