Hello Everyone.<br />
Got a quick question, I have Download <!--more-->s page that has files on it that only current clients should have access to. When you access it through the web using our Download <!--more--> page you get prompted for your username and password through an .asp page that access a database filled with our client information. This works great.<br />
However, if you direct type to the files, ex: <!-- w --><a class="postlink" href="http://www.mysite.com/xxxx/filename.file">www.mysite.com/xxxx/filename.file</a><!-- w --> you gain access to these files without have a user name and file. <br />
How do I lock this up?
<br />
Thank you very much!<!--content-->Block folder access from outside.<br />
ASP Script: instead of redirecting read the file data and output to client with appropriate headers.<!--content-->Thanks for the quick response Vladdy
<br />
<br />
Unfortunatley I did not write the .asp pages and it is new too me so I made need a little more help. <br />
I pulled up the pre_chklogin.asp page and I see this:<br />
<% @LANGUAGE = VBSCRIPT %><br />
<% Option Explicit %><br />
<br />
<% 'chk_login.asp %><br />
<br />
<% Dim connection, check, info<br />
<br />
if Session("loggedIn") Then <br />
<br />
Call Response.Redirect("Download <!--more-->s111.htm")<br />
Else<br />
Call Response.Redirect("login.asp")<br />
End If <br />
%><br />
<br />
I also have this in my chk_login.asp page<br />
<% @LANGUAGE = VBSCRIPT %><br />
<% Option Explicit %><br />
<br />
<% 'chk_login.asp %><br />
<br />
<% Dim connection, check, info<br />
<br />
'Open a database connection<br />
Set connection = Server.CreateObject("ADODB.Connection")<br />
connection.ConnectionString="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" &_<br />
server.MapPath("data/login.mdb")<br />
connection.Open<br />
<br />
' Call connection.open("ecommerce")<br />
<br />
'Build the SQL query<br />
<br />
check="SELECT * From member WHERE username = '"_<br />
& CStr(Request("Username")) & "'"_<br />
& " AND password='"_<br />
& CStr(Request("Password"))& "'" <br />
<br />
'Open the record set<br />
Set info= Server.CreateObject("ADODB.RecordSet")<br />
Call inf
pen(check, connection)<br />
On Error Resume Next<br />
<br />
If info.EOF THEN<br />
<br />
'The user's login is incorrect<br />
<br />
Call info.Close()<br />
Call connection.Close()<br />
Call Response.Redirect("badlogin.asp")<br />
Else<br />
<br />
<br />
'The user's login is correct<br />
Session("username") = Request("Username")<br />
Session("loggedIn") = True<br />
<br />
Call info.Close()<br />
Call connection.Close()<br />
Call Response.Redirect("Download <!--more-->s111.htm")<br />
End If <br />
%><br />
<br />
Do I need to change the redirect on both pages???And if so what do I replace them with?<br />
<br />
Sorry to be such a pain
<!--content-->Read up on FileSystemObject and use it to read files instead of redirecting to them.<!--content-->
Got a quick question, I have Download <!--more-->s page that has files on it that only current clients should have access to. When you access it through the web using our Download <!--more--> page you get prompted for your username and password through an .asp page that access a database filled with our client information. This works great.<br />
However, if you direct type to the files, ex: <!-- w --><a class="postlink" href="http://www.mysite.com/xxxx/filename.file">www.mysite.com/xxxx/filename.file</a><!-- w --> you gain access to these files without have a user name and file. <br />
How do I lock this up?
<br />Thank you very much!<!--content-->Block folder access from outside.<br />
ASP Script: instead of redirecting read the file data and output to client with appropriate headers.<!--content-->Thanks for the quick response Vladdy
<br /><br />
Unfortunatley I did not write the .asp pages and it is new too me so I made need a little more help. <br />
I pulled up the pre_chklogin.asp page and I see this:<br />
<% @LANGUAGE = VBSCRIPT %><br />
<% Option Explicit %><br />
<br />
<% 'chk_login.asp %><br />
<br />
<% Dim connection, check, info<br />
<br />
if Session("loggedIn") Then <br />
<br />
Call Response.Redirect("Download <!--more-->s111.htm")<br />
Else<br />
Call Response.Redirect("login.asp")<br />
End If <br />
%><br />
<br />
I also have this in my chk_login.asp page<br />
<% @LANGUAGE = VBSCRIPT %><br />
<% Option Explicit %><br />
<br />
<% 'chk_login.asp %><br />
<br />
<% Dim connection, check, info<br />
<br />
'Open a database connection<br />
Set connection = Server.CreateObject("ADODB.Connection")<br />
connection.ConnectionString="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" &_<br />
server.MapPath("data/login.mdb")<br />
connection.Open<br />
<br />
' Call connection.open("ecommerce")<br />
<br />
'Build the SQL query<br />
<br />
check="SELECT * From member WHERE username = '"_<br />
& CStr(Request("Username")) & "'"_<br />
& " AND password='"_<br />
& CStr(Request("Password"))& "'" <br />
<br />
'Open the record set<br />
Set info= Server.CreateObject("ADODB.RecordSet")<br />
Call inf
pen(check, connection)<br />On Error Resume Next<br />
<br />
If info.EOF THEN<br />
<br />
'The user's login is incorrect<br />
<br />
Call info.Close()<br />
Call connection.Close()<br />
Call Response.Redirect("badlogin.asp")<br />
Else<br />
<br />
<br />
'The user's login is correct<br />
Session("username") = Request("Username")<br />
Session("loggedIn") = True<br />
<br />
Call info.Close()<br />
Call connection.Close()<br />
Call Response.Redirect("Download <!--more-->s111.htm")<br />
End If <br />
%><br />
<br />
Do I need to change the redirect on both pages???And if so what do I replace them with?<br />
<br />
Sorry to be such a pain
<!--content-->Read up on FileSystemObject and use it to read files instead of redirecting to them.<!--content-->