To read the article online, visit http://www.4GuysFromRolla.com/webtech/081199-1.shtml

Protecting Everything


When you put something on the web, you've got to be careful, because anyone can access it if they just guess the correct URL. If you have sensitive material, or material that folks must pay for, then you want to make sure that not just anybody can get to it. The inspiration for this article comes from an ASP Messageboard post, which reads:

I have a problem and that is that my company decided to make customers invoices available throught the extranet. This is all fine and good except that I have to program the thing.

The situation is as follows:

- Invoices are generated with a program that leaves a bunch of pdf files in a directory ( INV/00001.PDF; INV/00002.PDF; Etc. )
- There is a table in oracle that has ( ACCT, PASS )
- There is a table in oracle that has ( ACCT, FILE, DATE )
- There is a Form with ACCT, PASS

The form submits to an asp that looks up acct in table 1 and compares PASS in form with PASS in Table. If it is ok then Look up in Table 2 all records that match ACCT.

The resulting html file is something like this :

<% Do Until RS_2.EOF %>
	<a href="/INV/<%=RS_2("FILE")%>">
		<%=RS_2("DATE")%>
	</a>

<% 	RS_2.movenext

Loop
%>

Now what is to stop someone to looking at the url and start typing in the address bar something like :

http://svrname/inv/0099.pdf

and seeing someone else invoice? How can i make this project viable and secure?

Well, we are going to use ASP to hide our files. Rather than linking directly to the file using the method shown above (<A HREF="/INV/<%=RS_2("FILE")%>">), we will link directly to an ASP file called showFile.asp. Through the querystring we will pass in the file name (less the directory), the content type, the UserName, and the Password. Previously, the field RS_2("FILE") probably contained the full URL to the PDF file. All we want it to contain is the actual file name. We will bury all of the PDF files into a long, deep directory name, to greatly minimize the chances of someone just guessing the URL of the PDF files. (If someone were to guess the full URL of the PDF files, and typed that URL into their browser, they would be able to view the PDF files; it's not a security flaw, just the nature of the web.)

To accommodate the changes we will need to change the looping code to:

<%
Do Until RS_2.EOF %>

	<a href="/scripts/showFile.asp?File=<%=RS_2("FILE")%>&
			UserName=<%=username%>&
			Password=<%=password%>&
			ContentType=application/pdf">

		<%=RS_2("DATE")%>
	</a>

<% 	RS_2.movenext

Loop
%>

(Note that the above HREF was broken into multiple lines to make it easier to read through your browser. The entire HREF needs to be on one line...)

Now, what we need to accomplish in showFile.asp is the following: first, verify that the user has rights to look at this file. If he or she does not, then we want to redirect them to a page explaining that they do not have adequate permissions to view that particular PDF file. The reason we need to verify the username/password, is to stop someone from calling showFile.asp and guessing at PDF file names. For example, if their invoice is 00001.pdf, they might try 00002.pdf, which might be an invoice for another client. We don't want them to see 000002.pdf if it's not their invoice!

You may be wondering how we're going to do all of this... well, that will all be explained in the next part of this article!

  • Proceed to Part 2


  • Article Information
    Article Title: Protecting Everything
    Article Author: Scott Mitchell
    Published Date: Wednesday, August 11, 1999
    Article URL: http://www.4GuysFromRolla.com/webtech/081199-1.shtml


    Copyright 2017 QuinStreet Inc. All Rights Reserved.
    Legal Notices, Licensing, Permissions, Privacy Policy.
    Advertise | Newsletters | E-mail Offers