hide documents
-
Hi everybody, First of all: best wishes for the coming year!. Unfortunately I am still working on this last day of 2008, and hope someone else is too....I am building a website for a company that does inspections on seagoing vessels. They produce reports of these inspections and want to make those reports available to the customers through their website. It is obviously no problem to provide a login to a restricted page for a particular customer, on which he can see a list of the reports (pdf files) he can download. I am using php for this. However, should anyone know the location and the names of the relevant files, this would enable them to download the file by just entering its url, bypassing my beautifull login script (I can protect the php page against showing without login, but the pdf files themselves obviously do not have any coding that allows to protect them) Does anyone have any idea how to make sure that the downloadable files can only be reached through my php page and not directly through their url's? Thanks in advance. William
-
Hi everybody, First of all: best wishes for the coming year!. Unfortunately I am still working on this last day of 2008, and hope someone else is too....I am building a website for a company that does inspections on seagoing vessels. They produce reports of these inspections and want to make those reports available to the customers through their website. It is obviously no problem to provide a login to a restricted page for a particular customer, on which he can see a list of the reports (pdf files) he can download. I am using php for this. However, should anyone know the location and the names of the relevant files, this would enable them to download the file by just entering its url, bypassing my beautifull login script (I can protect the php page against showing without login, but the pdf files themselves obviously do not have any coding that allows to protect them) Does anyone have any idea how to make sure that the downloadable files can only be reached through my php page and not directly through their url's? Thanks in advance. William
You would need an IIS handler to map the file type to and process the request, where you could check for authorization, before displaying the file.
only two letters away from being an asset
-
Hi everybody, First of all: best wishes for the coming year!. Unfortunately I am still working on this last day of 2008, and hope someone else is too....I am building a website for a company that does inspections on seagoing vessels. They produce reports of these inspections and want to make those reports available to the customers through their website. It is obviously no problem to provide a login to a restricted page for a particular customer, on which he can see a list of the reports (pdf files) he can download. I am using php for this. However, should anyone know the location and the names of the relevant files, this would enable them to download the file by just entering its url, bypassing my beautifull login script (I can protect the php page against showing without login, but the pdf files themselves obviously do not have any coding that allows to protect them) Does anyone have any idea how to make sure that the downloadable files can only be reached through my php page and not directly through their url's? Thanks in advance. William
as mark replied, you need to be admin of system. But there are another ways to protect your files to some extent. I am not a php developer, so i cannot help in code part, but i can suggest you the ways that we use in .net for security. 1. Do not give the direct link for download to user. Hide the link and push the download from the server. e.g. as the software download is pushed by downloads.com. In .net we use 'Response' method for the same. 2. Protect your PDF files with password. This is also one security concern. 3. Don not give the download from site. Just send the attachment in mail to the user who requested it. Regards Aman Bhular
-
as mark replied, you need to be admin of system. But there are another ways to protect your files to some extent. I am not a php developer, so i cannot help in code part, but i can suggest you the ways that we use in .net for security. 1. Do not give the direct link for download to user. Hide the link and push the download from the server. e.g. as the software download is pushed by downloads.com. In .net we use 'Response' method for the same. 2. Protect your PDF files with password. This is also one security concern. 3. Don not give the download from site. Just send the attachment in mail to the user who requested it. Regards Aman Bhular
- If the file is exposed it will be available to anyone with enough time and interest in retrieving it 2) Possible, but how you give out password? 3) Impractical. I want to read the pdf now, not later in an email which can be delayed or blocked by spam filters. If the user is traveling and and doesn't have access to email how would they read the file? Wait until later?
Amandeep Singh Bhullar wrote:
the ways that we use in .net for security.
You may use these methods, but I certainly wouldn't, with the exception of #2.
only two letters away from being an asset
-
- If the file is exposed it will be available to anyone with enough time and interest in retrieving it 2) Possible, but how you give out password? 3) Impractical. I want to read the pdf now, not later in an email which can be delayed or blocked by spam filters. If the user is traveling and and doesn't have access to email how would they read the file? Wait until later?
Amandeep Singh Bhullar wrote:
the ways that we use in .net for security.
You may use these methods, but I certainly wouldn't, with the exception of #2.
only two letters away from being an asset
1. When a download is pushed from the server the file complete path is never exposed. It is from the page that is being opened, but a threat level is always there. 2. He has not defined that the PDF will be generated by System or manually. If manual, then it can be password protected, before being uploaded to server. 3. How much time it takes to send a mail. Hardly a minute or two or five. For security it does not matter. Regarding spam, the address can be added in Contact List. Last, if the User is traveling, and can access the website, but not mail, how is this possible(IF there are firewalls, or proxy's). There is also a fourth option in .net,i.e., if you have used the rapidshare.com, it does not start the download even if you typed the complete path of file in address bar. I can implement that in .net, but have no idea of php. Securing a file little is always better than leaving it in open. Atleast the person who is interested, will have to do the extra workout.
-
1. When a download is pushed from the server the file complete path is never exposed. It is from the page that is being opened, but a threat level is always there. 2. He has not defined that the PDF will be generated by System or manually. If manual, then it can be password protected, before being uploaded to server. 3. How much time it takes to send a mail. Hardly a minute or two or five. For security it does not matter. Regarding spam, the address can be added in Contact List. Last, if the User is traveling, and can access the website, but not mail, how is this possible(IF there are firewalls, or proxy's). There is also a fourth option in .net,i.e., if you have used the rapidshare.com, it does not start the download even if you typed the complete path of file in address bar. I can implement that in .net, but have no idea of php. Securing a file little is always better than leaving it in open. Atleast the person who is interested, will have to do the extra workout.
Email is not a practical solution for a number of reasons.
Amandeep Singh Bhullar wrote:
How much time it takes to send a mail. Hardly a minute or two or five.
That's the point, time. A user wants to view the file immediately, that's why they clicked on the link. Email may not be available, think of a kiosk situation.
Amandeep Singh Bhullar wrote:
Regarding spam, the address can be added in Contact List.
So you're saying that to look at the file I must know the email address of the sender and add it to the white list before I can receive the email and view the file I wanted. :rolleyes: :laugh: :laugh:
Amandeep Singh Bhullar wrote:
Last, if the User is traveling, and can access the website, but not mail, how is this possible
how is this possible? You can't be serious. Apply a little thought processing. :rolleyes:
only two letters away from being an asset
-
Email is not a practical solution for a number of reasons.
Amandeep Singh Bhullar wrote:
How much time it takes to send a mail. Hardly a minute or two or five.
That's the point, time. A user wants to view the file immediately, that's why they clicked on the link. Email may not be available, think of a kiosk situation.
Amandeep Singh Bhullar wrote:
Regarding spam, the address can be added in Contact List.
So you're saying that to look at the file I must know the email address of the sender and add it to the white list before I can receive the email and view the file I wanted. :rolleyes: :laugh: :laugh:
Amandeep Singh Bhullar wrote:
Last, if the User is traveling, and can access the website, but not mail, how is this possible
how is this possible? You can't be serious. Apply a little thought processing. :rolleyes:
only two letters away from being an asset
-
Hi everybody, First of all: best wishes for the coming year!. Unfortunately I am still working on this last day of 2008, and hope someone else is too....I am building a website for a company that does inspections on seagoing vessels. They produce reports of these inspections and want to make those reports available to the customers through their website. It is obviously no problem to provide a login to a restricted page for a particular customer, on which he can see a list of the reports (pdf files) he can download. I am using php for this. However, should anyone know the location and the names of the relevant files, this would enable them to download the file by just entering its url, bypassing my beautifull login script (I can protect the php page against showing without login, but the pdf files themselves obviously do not have any coding that allows to protect them) Does anyone have any idea how to make sure that the downloadable files can only be reached through my php page and not directly through their url's? Thanks in advance. William
Store the files outside the site document root (write-protected). Your code should check for logged in user. You may code a script for fetching the contents of the downloadable file and also storing it in a file on the fly and render it. This Should solve the purpose.
Girish Nbr.
-
Hi everybody, First of all: best wishes for the coming year!. Unfortunately I am still working on this last day of 2008, and hope someone else is too....I am building a website for a company that does inspections on seagoing vessels. They produce reports of these inspections and want to make those reports available to the customers through their website. It is obviously no problem to provide a login to a restricted page for a particular customer, on which he can see a list of the reports (pdf files) he can download. I am using php for this. However, should anyone know the location and the names of the relevant files, this would enable them to download the file by just entering its url, bypassing my beautifull login script (I can protect the php page against showing without login, but the pdf files themselves obviously do not have any coding that allows to protect them) Does anyone have any idea how to make sure that the downloadable files can only be reached through my php page and not directly through their url's? Thanks in advance. William