Login skipped for Flash object
-
hi, I have a flash object on the root directory of my website. I use it to do multiple uploads on one of my site pages. The site is protected with forms authentication but I just found out that if a user (not logged) enters the complete path of the flash object i.e. http://someserver/myflashobject.swf, he will be able to see the object and use it! in my case it's not a big deal since the page that usually displays the object also sets some javascript event handlers and uses some session parameters, which won't be available here, so no file will actually be uploaded but I was quite astonished that the user wasn't requested to login to access the flash object. does anybody know why the flash is accessible directly without reverting to the login page? is there a special configuration for the web site in web.config to stop people accessing the flash object directly? Thanks
-- If this is a post that has been helpful to you, please vote for it. Thank you! "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." --Rich Cook
-
hi, I have a flash object on the root directory of my website. I use it to do multiple uploads on one of my site pages. The site is protected with forms authentication but I just found out that if a user (not logged) enters the complete path of the flash object i.e. http://someserver/myflashobject.swf, he will be able to see the object and use it! in my case it's not a big deal since the page that usually displays the object also sets some javascript event handlers and uses some session parameters, which won't be available here, so no file will actually be uploaded but I was quite astonished that the user wasn't requested to login to access the flash object. does anybody know why the flash is accessible directly without reverting to the login page? is there a special configuration for the web site in web.config to stop people accessing the flash object directly? Thanks
-- If this is a post that has been helpful to you, please vote for it. Thank you! "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." --Rich Cook
You would get the same issue with a JPG or GIF image, or Word doc or whatever... if you want to protect such files you must tell the webserver to handle requests for them, and build your own HttpHandler to deal with them. Try Googling something along the lines of "httphandler protect files"... however, you will need access to the webserver as well (or at least get the server admin people to configure IIS as needed.) The webserver needs to be told which types of files to let .NET deal with and which to just farm out when requeted - by default it will deal with .aspx pages and the like, but not .swf etc...