/    Sign up×
Community /Pin to ProfileBookmark

Security for direct typing

Copy linkTweet thisAlerts:
Jun 28.2004

Hello Everyone.
Got a quick question, I have downloads page that has files on it that only current clients should have access to. When you access it through the web using our download page you get prompted for your username and password through an .asp page that access a database filled with our client information. This works great.
However, if you direct type to the files, ex: [url]www.mysite.com/xxxx/filename.file[/url] you gain access to these files without have a user name and file.
How do I lock this up? ?
Thank you very much!

to post a comment
HTML

3 Comments(s)

Copy linkTweet thisAlerts:
@VladdyJun 28.2004 — Block folder access from outside.

ASP Script: instead of redirecting read the file data and output to client with appropriate headers.
Copy linkTweet thisAlerts:
@BlelisaauthorJun 28.2004 — Thanks for the quick response Vladdy?

Unfortunatley I did not write the .asp pages and it is new too me so I made need a little more help.

I pulled up the pre_chklogin.asp page and I see this:

<% @LANGUAGE = VBSCRIPT %>

<% Option Explicit %>

<% 'chk_login.asp %>

<% Dim connection, check, info

if Session("loggedIn") Then

Call Response.Redirect("downloads111.htm")
Else

Call Response.Redirect("login.asp")

End If


%>

I also have this in my chk_login.asp page

<% @LANGUAGE = VBSCRIPT %>

<% Option Explicit %>

<% 'chk_login.asp %>

<% Dim connection, check, info

'Open a database connection

Set connection = Server.CreateObject("ADODB.Connection")

connection.ConnectionString="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" &_

server.MapPath("data/login.mdb")

connection.Open

' Call connection.open("ecommerce")

'Build the SQL query

check="SELECT * From member WHERE username = '"_

& CStr(Request("Username")) & "'"_

& " AND password='"_

& CStr(Request("Password"))& "'"

'Open the record set

Set info= Server.CreateObject("ADODB.RecordSet")

Call info.Open(check, connection)

On Error Resume Next

If info.EOF THEN

'The user's login is incorrect

Call info.Close()
Call connection.Close()
Call Response.Redirect("badlogin.asp")
Else


'The user's login is correct
Session("username") = Request("Username")
Session("loggedIn") = True

Call info.Close()

Call connection.Close()

Call Response.Redirect("downloads111.htm")

End If


%>

Do I need to change the redirect on both pages???And if so what do I replace them with?

Sorry to be such a pain?
Copy linkTweet thisAlerts:
@VladdyJun 28.2004 — Read up on FileSystemObject and use it to read files instead of redirecting to them.
×

Success!

Help @Blelisa spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.16,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @nearjob,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,
)...