How to prevent NT serving files other than when logged in

[ianburgess]

I have a NT browse with a hypertext link on the file description column that opens a previously uploaded file from:
https://mydomain.org.uk/discussion_uploads/filename.jpg?DISH__ID=10&PressedButton=ViewAttachment

The problem is that I only want people to be able to download the file if logged in, but if someone saves the URL that opens the file, it appears that they can reopen/download that file at a later time even if not logged in. How can I prevent NT serving the files when not logged in?

Thanks

Ian

[bshields]

Hi Ian,

I have a few suggestions:

1. Don't allow them to download the file directly, in other words don't generate the link to an actual file but route it via a NetWebPage that checks credentials. This also allows you to embed into the URL an encoded time stamp that could allow the file download ability to expire after a certain number of hours or days.

2. Intercept the SendFile method or intercept the ProcessLink method, in the web server.

I like #1 as it is cool.

Regards
Bill

[Bruce]

Hi Ian,

as it happens there is a property for that.
the idea is that there is a folder for static files which only logged-in people can access.

By default this is \web\loggedin
the property is p_web.site.loggedindir
there's also one for secure (ie only serve over SSL connections), p_web.site.securedir (which defaults to web\secure)

Bills first idea though is a good one.

cheers
Bruce

[ianburgess]

Thanks Bill and Bruce. I think I will go with the built-in \web\loggedin folder to save the static files. Bruce, please confirm that one can have sub-folders of \web\loggedin, eg. \web\loggedin\uploads and files in the sub-folder will only be served if logged in?

Thanks

Ian

[ianburgess]

I started to go down route of using \loggedin folder and subfolders and I can see that it would work, but it has implications in many parts of the app re displaying photos, generating thumbnails etc. and ideally would like not to change all these.

Since I never want to serve files if not logged in, where/how could I intercept the sendfile and processlink methods as suggested by Bill?

[bshields]

Hi Ian,

There may be other ways (or similar ways) but i'll rough out one way (and perhaps others can refine,improve or replace it).

If a URL (page) that is requested on your server doesn't match up with your defined NetWebPage, NetWebBrowse or NetWebForm, the system passes the request to _SendFile (in WebServerHandler) to try and find if its a file like a PDF or similar and send that to the browser.

This is handy, as you can create "virtual" stuff.

eg. http://127.0.0.1/securedownload/filename.pdf

Now "securedownload" is simply a "token" to allow you to spot that you need to jump in and get involved.

So inside the CODE section of _SendFile do something like this:

Pos# =INSTRING('securedownload/',LOWER(p_filename),1,1)
IF Pos# ~= 0
  !If we get here we know its our special case
  !so we parse the actual filename out of p_filename and sendit
  PARENT._SendFile(SUB(p_filename,Pos#+15,LEN(CLIP(p_Filename))-Pos#-15),p_header)
  RETURN
.
 

Its easy to now extend this to look like:

http://127.0.0.1/securedownload/F55234GGFDFfdfd45df454dDfH/filename.pdf

Where F55234GGFDFfdfd45df454dDfH is an encrypted string that stored additional info, like the number of times they may download, the clients id, a date/time expiry etc.

Regards
Bill

[bshields]

Oops, forgot to mention... you can check if they are logged in!

[ianburgess]

Bill

Many thanks for that.

I have embedded the following:

 IF p_web.GetSessionLoggedIn() = 0 ! NOT logged in
   !Test for upload folders and don't serve
   IF INSTRING('\photos',p_FileName,1,1) OR INSTRING('\uploads',p_FileName,1,1) OR INSTRING('\discussion_uploads',p_FileName,1,1)
     RETURN
   .
 .

This works fine and gives an "error" in th browser if accessing anything in one of the specified folders if not logged in. What would be more elegant would be if it displayed an alert or a web page saying that you are not logged in but not sure of code to do either?

If I use:
p_web.Script('alert("You must be logged in to open view this file.");')

Rather than an alert message I get a page open showing:
<script defer="defer">
alert("You must be logged in to open view this file.");
</script>

[bshields]

Hi Ian,

You should generate an appropriate HTTP Error. EG. 401 - unauthorised, 403 - forbidden or 404 - not found (see http://en.wikipedia.org/wiki/List_of_HTTP_status_codes)

self.SendError(401, 'Unauthorised', 'You are not logged in')

Regards
Bill

[ianburgess]

Hi Bill

Thank yopu so much for yopur help - that now works perfectly!

Is there any resource that documents such things as "self.SendError" and syntax to use?

Regards

Ian

[bshields]

I've seen it somewhere in the doco, but i couldn't find it a moment ago. But i'm sure i read it somewhere.

[Stu]

Fantastic thread .. Thanks Bill!