Need general approach for hiding files

  • Thread starter Thread starter seguso
  • Start date Start date
S

seguso

Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.

I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like

logs/log-xxxx.html

where xxxx is a user-id. (Each file logically belongs to a different
user).

I am developing a web site in asp.net which allows each user to see
his own log.

The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g.

http://localhost/WebSite/Docs/log-1234.html

Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.

What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?

Thanks a lot for any help,

Maurizio
 
Never expose actual path to sensitive data.

Instead of <a href="logs/log-xxxx.html">, use
<a href="showlog.aspx?id=xxxx">

Make a simple asp.net page showlog.aspx that will deliver the log by the
user id. The user won't know anything about the actual file location.

--
Eliyahu Goldin,
Software Developer & Consultant
Microsoft MVP [ASP.NET]
http://msmvps.com/blogs/egoldin
http://usableasp.net
 
you have to compare user id to value in logfile address - no match, no access.
Click to expand...

Thank you, but where should I do the comparison? When the user types
something in the browser's location bar, and presses ENTER, I don't
have a callback which can approve or discard the request...

Maurizio
 
You could pass them through an intermediate page, do the check, then proceed.

see also suggestion by Eliyahu Goldin below.
 
Hello, I have a very simple problem I don't know how to approach. I
need a suggestion about the general approach to take.

I have a bunch of html pages on a machine, all in the same folder
"logs". Each html page contains a log. The filenames look like

logs/log-xxxx.html

where xxxx is a user-id. (Each file logically belongs to a different
user).

I am developing a web site in asp.net which allows each user to see
his own log.

The obvious approach is to have a page where I dynamically create a
link <a href="logs/log-xxxx.html">, where xxxx depends on the user
authenticated in asp.net. This works: when the user clicks the link,
the html opens in a new window. But, in the browser's location bar,
the user sees the full path of the file, e.g.

http://localhost/WebSite/Docs/log-1234.html

Now, if he were to manually change the number on the location bar,
either by mistake or intentionally, he would see the log of another
user! This is not acceptable for privacy reasons.

What is a general approach to solve this problem? I mean, allowing the
user to only obtain his html file and not somebody else's. Have I to
write a httphandler, or is there a simpler solution?

Thanks a lot for any help,

Maurizio
Click to expand...

Do not store those html files in the website, but just next to it.
This means that you can't have a direct link to it.
Add a "ViewLog.aspx" to your site, which
1) finds the id of the "current user",
2) builds the filename for his/her logfile,
3) uses Response.WriteFile to send that logfile to the browser.

Hans Kestin
 
map html files to asp.net in iis. then in your global.asa, in the
BeginRequest, do the user check. if fails, return a 401 response.

also you could encrypt the userid, so its hard to guess.


-- bruce (sqlwork.com)
 
map html files to asp.net in iis. then in your global.asa, in the
BeginRequest, do the user check. if fails, return a 401 response.

also you could encrypt the userid, so its hard to guess.
Click to expand...


Thank you very much Bruce. That's exactly what I was looking for.

Maurizio
 
Back
Top