Do not allow direct access to the file itself. Create the file
dynamically, or read it from a location outside the web root, via a
servlet/app that checks the validity of the session.
It is not difficult to supply headers to indicate the
content-disposition, which tells the browser to try to save the file,
and can even provide a useful file name, rather than the name of the
servlet.
Rogan
Sangita Pakala wrote:
> Hi,
>
> Could I have the list's thoughts on an answer we are preparing for the
> next version of the AppSec FAQ at OWASP.
>
> Question - How can I ensure my application allows only authenticated
> users access to files like *.pdf or *.doc?
>
> Issue - Suppose a web site, say a bank site, displays the user's account
> statement as a .doc file. What if someone tries to access this file by
> typing its full URL into the address bar? How does the application check
> whether the user trying to access the file is the authenticated user and
> that the session has not expired?
>
> Solution - One solution is to have a random number for the name of the
> file or the folder containing it. This random number could even be
> related to the session token of the user. This file/folder should then
> be deleted as soon as the user's session has expired.
>
> Are there better methods available to address this issue? Can the web
> server run a server side program to verify the session token before
> serving the final GET request for the file?
>
>
> Thanks,
> Sangita.
>
> OWASP AppSec FAQ
> http://www.owasp.org/documentation/appsecfaq
>
> Paladion Networks
> http://www.paladion.net
>
>
>
>
>
>
>
>
--
"Using encryption on the Internet is the equivalent of arranging an
armored car to deliver credit card information from someone living
in a cardboard box to someone living on a park bench."
- Gene Spafford
Received on Feb 26 2004
Intro
