A
Anthony Jones
I've been searching the web and have found very little info about the
following problem. This surprises me because I would have thought it to
affect a lot of sites. Therefore I'm wondering if I missing something
obvious that everyone else knows.
I have a site which in part contains a Document management system, many
documents are office documents of which some are powerpoint presentations.
The site requires the user to login and tracks the login status via the
session. (An ASP session is tracked by an 'in-memory' cookie, such a cookie
is held only in process memory and is not persisted to disk).
When a user requests a document such as a powerpoint presentation the server
checks that the authenticated user is authorized to view the document and if
so allows the user view it.
Up until Powerpoint 2007 this approach worked fine.
Now with 2007 powerpoint hijacks the download of the document. It spins up a
separate powerpoint process (rather than using components integrated into
the IE process). It aborts the current download initiated IE and sends its
own request for the URL of the document(it uses range headers so that it can
utalise whats been downloaded so far).
The problem is that the request generated by the powerpoint process will not
include the session cookie which is held only in-memory in the IE process.
Therefore the server sees an unauthenticated session and rejects the
download.
I'm finding it difficult to believe the I'm in the minority for having sites
require authentication before allow access to powerpoint slides. Therefore
my current thinking is I'm being dense and missing something obvious.
following problem. This surprises me because I would have thought it to
affect a lot of sites. Therefore I'm wondering if I missing something
obvious that everyone else knows.
I have a site which in part contains a Document management system, many
documents are office documents of which some are powerpoint presentations.
The site requires the user to login and tracks the login status via the
session. (An ASP session is tracked by an 'in-memory' cookie, such a cookie
is held only in process memory and is not persisted to disk).
When a user requests a document such as a powerpoint presentation the server
checks that the authenticated user is authorized to view the document and if
so allows the user view it.
Up until Powerpoint 2007 this approach worked fine.
Now with 2007 powerpoint hijacks the download of the document. It spins up a
separate powerpoint process (rather than using components integrated into
the IE process). It aborts the current download initiated IE and sends its
own request for the URL of the document(it uses range headers so that it can
utalise whats been downloaded so far).
The problem is that the request generated by the powerpoint process will not
include the session cookie which is held only in-memory in the IE process.
Therefore the server sees an unauthenticated session and rejects the
download.
I'm finding it difficult to believe the I'm in the minority for having sites
require authentication before allow access to powerpoint slides. Therefore
my current thinking is I'm being dense and missing something obvious.