WebApp Sec: Re: Securing file access

[Sean Radford <sradford () bladesystems co uk>]

And I guess a 3rd party app is not an option, lots around...

(http://www.aegeus-technology.com/sw_about.htm is 1 I know of)

> John M. L. wrote:
>
> > I have a project that involves a members only area on web page on IIS.
> > The members' only area is secured by a database (MS Access) so users are
> > authenticated by their name and some MD5 hash etc.  I need to allow 
> > files
> > (mostly PDFs) for download to authenticated users only.  In my 
> > opinion this
> > means that the files can not be stored in any www accessible folder
> > (regardless of any renaming convention etc, I absolutely cannot have 
> > someone
> > guess a file name to download).  In order to access the files, the 
> > database
> > would link a file to a unique id, so a page that validates the user 
> > would
> > then give access to the file stored outside of the www on the 
> > server.  Now,
> > this is where the real question lies.  How is this possible since the 
> > files
> > are not in a www accessible path, since a mere link to a file won't due.
> > Any thoughts would be welcome.  If I'm going about this completely wrong
> > that would be nice to no too :)   Forgive me if the answer is simple, 
> > I'm a
> > Linux fan and haven't used IIS etc for years.
> > One more note: IIS, MS Access and VBScript are not my technologies of
> > choice, but merely what I was given to work with.  I also have very 
> > limited
> > control over administering IIS.
> >
> > John
> > www.recaffeinated.com

--
Dr. Sean Radford, MBBS, MSc
sradford () bladesystems co uk
http://bladesys.demon.co.uk/