NetTalk Central

Author Topic: How to prevent NT serving files other than when logged in  (Read 7073 times)

ianburgess

  • Full Member
  • ***
  • Posts: 119
    • View Profile
    • Email
How to prevent NT serving files other than when logged in
« on: August 01, 2012, 07:06:46 AM »
I have a NT browse with a hypertext link on the file description column that opens a previously uploaded file from:
https://mydomain.org.uk/discussion_uploads/filename.jpg?DISH__ID=10&PressedButton=ViewAttachment

The problem is that I only want people to be able to download the file if logged in, but if someone saves the URL that opens the file, it appears that they can reopen/download that file at a later time even if not logged in. How can I prevent NT serving the files when not logged in?

Thanks

Ian

bshields

  • Sr. Member
  • ****
  • Posts: 392
    • View Profile
    • Inhabit
    • Email
Re: How to prevent NT serving files other than when logged in
« Reply #1 on: August 01, 2012, 02:46:58 PM »
Hi Ian,

I have a few suggestions:

1. Don't allow them to download the file directly, in other words don't generate the link to an actual file but route it via a NetWebPage that checks credentials. This also allows you to embed into the URL an encoded time stamp that could allow the file download ability to expire after a certain number of hours or days.

2. Intercept the SendFile method or intercept the ProcessLink method, in the web server.

I like #1 as it is cool.

Regards
Bill

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: How to prevent NT serving files other than when logged in
« Reply #2 on: August 01, 2012, 10:02:40 PM »
Hi Ian,

as it happens there is a property for that.
the idea is that there is a folder for static files which only logged-in people can access.

By default this is \web\loggedin
the property is p_web.site.loggedindir
there's also one for secure (ie only serve over SSL connections), p_web.site.securedir (which defaults to web\secure)

Bills first idea though is a good one.

cheers
Bruce


ianburgess

  • Full Member
  • ***
  • Posts: 119
    • View Profile
    • Email
Re: How to prevent NT serving files other than when logged in
« Reply #3 on: August 01, 2012, 10:21:41 PM »
Thanks Bill and Bruce. I think I will go with the built-in \web\loggedin folder to save the static files. Bruce, please confirm that one can have sub-folders of \web\loggedin, eg. \web\loggedin\uploads and files in the sub-folder will only be served if logged in?

Thanks

Ian

ianburgess

  • Full Member
  • ***
  • Posts: 119
    • View Profile
    • Email
Re: How to prevent NT serving files other than when logged in
« Reply #4 on: August 02, 2012, 12:43:48 AM »
I started to go down route of using \loggedin folder and subfolders and I can see that it would work, but it has implications in many parts of the app re displaying photos, generating thumbnails etc. and ideally would like not to change all these.

Since I never want to serve files if not logged in, where/how could I intercept the sendfile and processlink methods as suggested by Bill?

bshields

  • Sr. Member
  • ****
  • Posts: 392
    • View Profile
    • Inhabit
    • Email
Re: How to prevent NT serving files other than when logged in
« Reply #5 on: August 02, 2012, 10:21:16 PM »
Hi Ian,

There may be other ways (or similar ways) but i'll rough out one way (and perhaps others can refine,improve or replace it).

If a URL (page) that is requested on your server doesn't match up with your defined NetWebPage, NetWebBrowse or NetWebForm, the system passes the request to _SendFile (in WebServerHandler) to try and find if its a file like a PDF or similar and send that to the browser.

This is handy, as you can create "virtual" stuff.

eg. http://127.0.0.1/securedownload/filename.pdf

Now "securedownload" is simply a "token" to allow you to spot that you need to jump in and get involved.

So inside the CODE section of _SendFile do something like this:

Pos# =INSTRING('securedownload/',LOWER(p_filename),1,1)
IF Pos# ~= 0
  !If we get here we know its our special case
  !so we parse the actual filename out of p_filename and sendit
  PARENT._SendFile(SUB(p_filename,Pos#+15,LEN(CLIP(p_Filename))-Pos#-15),p_header)
  RETURN
.
 

Its easy to now extend this to look like:

http://127.0.0.1/securedownload/F55234GGFDFfdfd45df454dDfH/filename.pdf

Where F55234GGFDFfdfd45df454dDfH is an encrypted string that stored additional info, like the number of times they may download, the clients id, a date/time expiry etc.

Regards
Bill

bshields

  • Sr. Member
  • ****
  • Posts: 392
    • View Profile
    • Inhabit
    • Email
Re: How to prevent NT serving files other than when logged in
« Reply #6 on: August 02, 2012, 10:22:07 PM »
Oops, forgot to mention... you can check if they are logged in!

ianburgess

  • Full Member
  • ***
  • Posts: 119
    • View Profile
    • Email
Re: How to prevent NT serving files other than when logged in
« Reply #7 on: August 05, 2012, 03:52:07 AM »
Bill

Many thanks for that.

I have embedded the following:

 IF p_web.GetSessionLoggedIn() = 0 ! NOT logged in
   !Test for upload folders and don't serve
   IF INSTRING('\photos',p_FileName,1,1) OR INSTRING('\uploads',p_FileName,1,1) OR INSTRING('\discussion_uploads',p_FileName,1,1)
     RETURN
   .
 .

This works fine and gives an "error" in th browser if accessing anything in one of the specified folders if not logged in. What would be more elegant would be if it displayed an alert or a web page saying that you are not logged in but not sure of code to do either?

If I use:
p_web.Script('alert("You must be logged in to open view this file.");')

Rather than an alert message I get a page open showing:
<script defer="defer">
alert("You must be logged in to open view this file.");
</script>
« Last Edit: August 05, 2012, 03:58:09 AM by ianburgess »

bshields

  • Sr. Member
  • ****
  • Posts: 392
    • View Profile
    • Inhabit
    • Email
Re: How to prevent NT serving files other than when logged in
« Reply #8 on: August 05, 2012, 04:13:45 AM »
Hi Ian,

You should generate an appropriate HTTP Error. EG. 401 - unauthorised, 403 - forbidden or 404 - not found (see http://en.wikipedia.org/wiki/List_of_HTTP_status_codes)

self.SendError(401, 'Unauthorised', 'You are not logged in')

Regards
Bill

ianburgess

  • Full Member
  • ***
  • Posts: 119
    • View Profile
    • Email
Re: How to prevent NT serving files other than when logged in
« Reply #9 on: August 05, 2012, 04:26:02 AM »
Hi Bill

Thank yopu so much for yopur help - that now works perfectly!

Is there any resource that documents such things as "self.SendError" and syntax to use?

Regards

Ian

bshields

  • Sr. Member
  • ****
  • Posts: 392
    • View Profile
    • Inhabit
    • Email
Re: How to prevent NT serving files other than when logged in
« Reply #10 on: August 05, 2012, 04:55:50 AM »
I've seen it somewhere in the doco, but i couldn't find it a moment ago. But i'm sure i read it somewhere.

Stu

  • Hero Member
  • *****
  • Posts: 510
    • View Profile
    • Email
Re: How to prevent NT serving files other than when logged in
« Reply #11 on: August 05, 2012, 03:57:40 PM »
Fantastic thread .. Thanks Bill!
Cheers,

Stu Andrews