Re: File downloads

From: Ray Costanzo [MVP] (my)
Date: 02/11/05 

Date: Fri, 11 Feb 2005 11:32:32 -0500

One way would be to use Windows authentication on your site instead of users
and passwords in a database. This is often not a viable solution. So, the
more appropriate way would then be to store the .exe file outside of the WWW
area in the file system on your server, and then stream the file back to the
authenticated user:

ASP files: D:\Inetpub\thesite
Path to the exe file: D:\Files\myfile.exe

<%
    If Session("loggedin") Then ''or whatever you're using to check for
login
         FPath = "D:\Files\myfile.exe"
         Set adoStream = CreateObject("ADODB.Stream")
        adoStream.Open()
        adoStream.Type = 1
        adoStream.LoadFromFile(FPath)
        Response.BinaryWrite adoStream.Read()
        adoStream.Close: Set adoStream = Nothing
        Response.End
    Else
        Response.Redirect "/login.asp"
    End If
%>

Adapted from http://www.aspfaq.com/show.asp?id=2276

Ray at work

"Pete" <Pete@discussions.microsoft.com> wrote in message
news:A6CFC58F-F642-445A-97E3-AC8EE17BA721@microsoft.com...
> I have an Access db with usernames and passwords set up on a web site.
Upon
> signing in to a password protected asp page which contains a link to an
exe
> file, the user clicks the link and the browser asks to either Open or Save
> the file.
>
> All this works fine, but if the user simply types the full path to the
file
> in the address bar, the browser again asks the user to either Open or Save
> the file - thus bypassing the security.
>
> Is there a way to prevent this "back door" method of accessing the file or
> would I have to set up an FTP mechanism. If so, How would I go about this?
>
> Many thanks.

Relevant Pages

  • Re: Sites and Services
    ... The changing of the passwords and browsing are probably separate. ... The reason you can't see the machines is because there isn't a master ... the domain -basically you have one master browser per site, ... The PDCE, by default, is the domain master browser. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Firefox security question
    ... pull sensitive information off of your system via the browser. ... network.http.sendSecureXSiteReferrer user set boolean false ... Security numbers, or passwords for stuff like online banking etc. it's ...
    (comp.os.linux.security)
  • Access a .onion URL without tor
    ... You cant do in your browser, but now you can if you use this: ... They're easily obtainable and will remove the passwords ... They are under enough pressure as it is given me headaches for posting, ...
    (alt.privacy)
  • Re: Phew - email problem sorted.
    ... a lot of PassWords are easily guessed. ... not to use the same UserName & PassWord for different things. ... Logged into (& Clear the Cookies & Temporary Internet Files Cache) ... cos some Cookies stay in the Browser for as ...
    (uk.people.silversurfers)
  • Re: Convert SQL logins to Windows authentication
    ... > SQL Server doesn't store passwords for Windows authenticated accounts ... > grant the existing Windows accounts access to SQL Server, ... >> login passwords to the new corresponding Windows Authentication ...
    (microsoft.public.sqlserver.security)