URL security

Results 1 to 4 of 4

Thread: URL security

  1. #1
    Pyrc Guest

    Default URL security

    What I want to be able to do is allow the user to open a document from a hyperlink but pevent the user from opening that same document when they key the URL directly.<BR><BR>I have created a bulletin system on an Intranet where users can publish bulletins specifying which levels of users can view that bulletin. The bulletins are all stored in a directory and are html, pdf or xls. When a user enters the bulletin system they have a list of bulletins (hyperlinks) that they have the security to access (security is all database/ASP controlled).<BR><BR>The problem we have is that when a user clicks on a bulletin and its PDF the PDF document opens with a titlebar containing the URL of the bulletin. Not usually a problem except we have some smart users then guessing the name of some of the secure versions of the bulletin and then entering this URL in a location bar (which we have removed from the bulletin system but obviously cannot remove from IE/NS completely).<BR><BR>We cant use NT security to control it as we have several users coming from each site using the same NT user id and then once they are in the bulletin system they have the ability to change their level of user security. It is handled like this to reduce the amount of maintenance that would otherwise be required to keep NT security up to date with all our customers employees etc.<BR><BR>Does anyone have any suggestions ??<BR>

  2. #2
    Priyan Guest

    Default Try this...

    Hi,<BR>Pass some encrypted value/password to link you are calling and decrypt and check it in the other page.<BR>&#060;a href="YourPage.asp?mCode=&#060;%=encrypt(mCode)%&# 062;"Your Link&#060;/a&#062;<BR>Hope this helps U.

  3. #3
    pyrc Guest

    Default RE: Try this...

    Thanks for your help but I dont think that will work. Some of my anchors are &#060;A href=&#039;x.pdf&#039;&#062; so how can I check for an encoded value in that ?? unless you know of a way of ASP opening a pdf file ??<BR>:-)

  4. #4
    Aquarius Guest

    Default Security through obscurity

    You don&#039;t want to hear me moan about how insecure relying on the secrecy of the filename is, do you? No? Thought not :)<BR><BR>What you might want to do is store the PDFs somewhere outside the document root, and have an ASP page that opens a requested PDF using the FileSystemObject and then streams it to the client with Response.BinaryWrite. You&#039;ll have to set the content-type of the page: there&#039;s a note at http://msdn.microsoft.com/workshop/essentials/webmen/webmen0512.asp#asp about this. Another useful note can be found at http://www.asp101.com/resources/aspupload.asp -- see the bottom of the page where it talks about images in a database and the Getimage.asp script.<BR><BR>Clearly if the data is streamed from an ASP you can do any kind of authentication and checking you like before actually sending the data...<BR><BR>Aq.<BR>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts