using asp to force download and disguise file location

using asp to force download and disguise file location (Full Version)

All Forums >> [Web Development] >> ASP and Database

Message

adambrooks -> using asp to force download and disguise file location (10/20/2004 16:26:05)
i am looking for some tips or tricks to force a download and mask or hide the url from which it is being pulled. this would be useful for example, if you were selling digital files, software, ebooks, etc. i would like to find a way to use ASP to do it, but will consider other options if it gets the job done. here's my vision: - some one logins in via email address and order number - has a link to a downloads.asp?id=100 file with download unique id number in querystring - asp page passes the querystring "id" to database of on-site files and locations - asp file authenticates the user account, orders, and licensing rights - if authenticated, force download - if authentication fails, redirect to upgrade account / cart i can piece most of it together, but need a way to hide the location of the file being downloaded. ideas?

Spooky -> RE: using asp to force download and disguise file location (10/20/2004 21:08:07)

Heres an example that you may like to mess with:

<%@ Language=VBScript %>
<%Response.buffer=True

'///////////////////////////////////////
'// This is the server path to your files folder (it WILL need changing)
'///////////////////////////////////////

filePath = "D:\Inetpub\wwwroot\files\"

'///////////////////////////////////////
'// First, see if the user has logged in
'///////////////////////////////////////

If Session("UserName") = "" then
	'Redirect and retain any querystring values
	Response.redirect "/login.asp?Redirect=" &Request.Servervariables("URL") &"?" &Request.Servervariables("QUERY_STRING")
End If

fileName = request.querystring("f")

'///////////////////////////////////////
'// Log the download
'///////////////////////////////////////

' Insert logging code here
' Eg - record the user and download in a seperate database / text file

'////////////////////////////////////////
'// Check file path
'////////////////////////////////////////

if instr(fileName,"/") > 0 OR instr(fileName,"\") > 0 OR instr(fileName,".as") > 0 then
	response.end
End if

'////////////////////////////////////////
'// Send the file.
'//
'// Here, I also recommend you compare the username with an allowed file list
'// (if the user is only allowed some files and not others)
'// A logged on user can still guess file names by adding to the querystring
'//
'// The file is sent to the user, using the code "download.asp?f=filename.ext"
'// So, if the file is called setup.zip, youll use a link "download.asp?f=setup.zip"
'//
'////////////////////////////////////////


Response.ContentType = "application/asp-unknown"
Response.AddHeader "content-disposition","attachment; filename=" & fileName
Set FStream = Server.CreateObject("ADODB.Stream")
FStream.Open()
FStream.Type = 1
FStream.LoadFromFile(filePath&filename)
Response.BinaryWrite FStream.Read()
FStream.Close
Set FStream = Nothing
Response.End

'////////////////////////////////////////
%>

adambrooks -> RE: using asp to force download and disguise file location (10/20/2004 22:17:54)
awesome. i will give it a shot and let you know how it goes.

adambrooks -> RE: using asp to force download and disguise file location (10/20/2004 23:48:03)
works awesome. exactly what i was looking for.

Contagion -> RE: using asp to force download and disguise file location (11/15/2004 19:50:13)
Great code snippit, and when I tested it with a small binary (command.com) everything worked perfectly. When I replace it with a large file however I error out before I get a download dialog. My situation is this: I have a couple of CD ISO images that I'm making available internally. In order for users to access the image they need to read the TOS page reminding them that of IP stuff, blah, blah, and then they can access the file through that page. (Which submits to an asp page the checks some form variables, and who the referring page is) We want the users to go through this page for all downloads of this ISO, so we want to obscure the URL so they can't access it directly. (Yeah, security through obscurity, I know.. but I'm also working on making it so the ASP process has rights to the files, and not individual users.) As you might imagine, that code above is delightfully perfect, but it doesn't work for me when I simply change the file from command.com to the iso in question. Not sure where to go on this now so any tips would be much appreciated.

aaronwiles -> RE: using asp to force download and disguise file location (11/15/2004 20:43:53)
Reply to above (Contagion)... It should work all the same not matter the size of the file & a iso file should have no problems downloading. Try using a blank text file named the same as your ISO and try downloading this using a link as above, if this works then simply replace the file with your ISO & try again. If at this stage it does not work then... well you still have a problem, so let us know. What exactly happens when your try downloading the iso file as it currently stands? Do you recieve an error message? If so what is this message?

Contagion -> RE: using asp to force download and disguise file location (11/16/2004 14:13:10)
Okay.. further details. Placing an empty text file of the same name in the directory returns the same error. Presumably that's just an error with the code trying to read in an empty file, need to put in some error handling so I can output that instead of returning a stream... :( Placing a text file of the same name with 1 character in it in the same directory succesfully downloads. The ISOs are between 163Mb and 256Mb and take about 8 seconds for the error to pop up. The error that comes up is... "Internet Explorer cannot download ISOReDir.asp from mmweb. Internet Explorer was not able to open this Internet Site. The requested site is either unavailable or cannot be found. please try again later." This pops up over the top of a download dialog.

Contagion -> RE: using asp to force download and disguise file location (11/16/2004 14:13:48)
Buffer sizes? Timeouts?

Spooky -> RE: using asp to force download and disguise file location (11/16/2004 14:25:58)
Whats the exact script / path you used?

Contagion -> RE: using asp to force download and disguise file location (11/16/2004 14:50:34)

quote:

ORIGINAL: Spooky

Whats the exact script / path you used?

Here's the whole source of my page. For what it's worth I've manged to workaround by just using a response.redirect to the file in question (which you can see me testing in one of the cases in my code). I'm guessing that using that method allows for some network sniffing to determine the file location, but we're not really worried about security at that level. I just liked the idea of streaming the file so nobody was ever hitting the real one.

<%@language="vbscript"%>
<%
Response.Buffer = true
DIM sendBack, ImageType
sendBack = FALSE
imageType = request.form("txtImageType")

IF not IsNumeric(imageType) THEN imageType = 0 ELSE imageType = cint(imageType)

IF lcase(request.servervariables("http_referer")) <> "http://mmweb/serverissues/totalcontrol/iso.asp" THEN
	sendBack = TRUE
ELSEIF not isNumeric(request.form("txtImageType")) THEN
	sendBack = TRUE
ELSEIF imageType < 1 or imageType > 3 THEN
	sendBack = TRUE
ELSE
	DIM filePath
	filePath = "D:\Inetpub\wwwroot\mmweb\serverissues\TotalControl\ISO\"

	Select Case imageType
	Case 1		
		response.Redirect("ISO/x86PETCCDv12-Generic2.iso")
	Case 2		
		filename = "x64PETCCDv2-Generic2.iso"
	Case 3		
		filename = "ia64PETCCDv96-Generic1.iso"
	End Select
			
	Response.ContentType = "application/asp-unknown"
	Response.AddHeader "content-disposition","attachment; filename=" & fileName
	
	Set FStream = Server.CreateObject("ADODB.Stream")
	FStream.Open()
	FStream.Type = 1
	FStream.LoadFromFile(filePath & filename)
	Response.BinaryWrite FStream.Read()
	FStream.Close
	Set FStream = Nothing
	response.End
	
END IF

IF SendBack THEN%>
<html>
 <head>
		<meta name="GENERATOR" content="Microsoft Visual Studio.NET 7.0">
		<meta name="CODE_LANGUAGE" content="Visual Basic 7.0">
		<meta name="vs_defaultClientScript" content="VBScript">
		<meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5">
		<link href="policy.css" type="text/css" rel="stylesheet">
  </head>
<body>
	<h3 align=center>Download failed</h3><br><br>	
	We're sorry, there was an error attempting to download the iso image. Please ensure that you are accessing this 
	image via the <a href="http://mmweb/serverissues/totalcontrol/iso.asp">Total Control ISO Download page</a>.<br><br>
	
	If problems continue, please send mail to the <a href="mailto:mmadmin">Multimedia Server Admins</a> alias.
</body>
</html>
<%END IF%>

Contagion -> RE: using asp to force download and disguise file location (11/16/2004 14:59:08)
Hmm... not sure if this is useful... changing the ContentType from "application/asp-unknown" to "application/octet-stream" allows me to at least get a dialog prompting me to save. However the filename isn't pushed forward to that dialog, and even if I select "save" I then hit the same error as before. But the behaviour is definately different.

Spooky -> RE: using asp to force download and disguise file location (11/16/2004 19:18:34)
Is this giving the expected result? Case 3 filename = "ia64PETCCDv96-Generic1.iso" End Select response.write filePath & filename response.end

GoGo -> RE: using asp to force download and disguise file location (11/17/2004 3:33:29)
I have a problem with force download from other server. Can you help me with this?

aaronwiles -> RE: using asp to force download and disguise file location (11/17/2004 17:38:00)
Err.... What's the problem????

GoGo -> RE: using asp to force download and disguise file location (11/18/2004 11:45:06)
Mp3 downloader. When I upload songs throw form at my server force download work fine but if I make link to some song on the other server then I stuck. Path is stored at MS Access database. At first case path is "/mp3/songname.mp3" and at second "http://www.some_domain/some_directory_songname.mp3"

Contagion -> RE: using asp to force download and disguise file location (11/18/2004 18:34:00)
Does your server have a MIME type defined for MP3? Some versions of IIS 404 error when you try to connect via HTTP to a file with an undefined MIME type. I believe this is by design as a security consideration.

GoGo -> RE: using asp to force download and disguise file location (11/19/2004 4:46:00)
I don't know. if song is at my server everything work fine but problem is if i'm linking some unknown server and I know only path for example http://www.some_site/somg.mp3

Contagion -> RE: using asp to force download and disguise file location (11/22/2004 14:43:23)
Hmm.. if you know that file is really there, but the other server won't let you download it, I'm guessing they are doing something with checking the HTTP_REFERER so that external sites can't link to their file.

smcfarland -> RE: using asp to force download and disguise file location (11/22/2004 15:36:31)
I would recommend downloading CandyPress shopping cart (candypress.com) and looking at how they set up their download purchases. Basically, you set a folder name in the admin section, then, they dim the folder through an asp page so that when someone logs in and purchases a download it automatically redirects and opens the file to save/download without giving the folder's destination information. I typed this all out and realized Adam's post was two years ago... but I guess if anyone needs a good solution...

pgtruesdell -> RE: using asp to force download and disguise file location (1/26/2008 0:55:11)
i am a complete newbie to asp so how would i modify the script to use it for just disguising a location of a file and giving access only if it they were logged in? sorry in advance since i am a html and learning php guy.

dpf -> RE: using asp to force download and disguise file location (1/26/2008 9:45:50)
quote: sorry in advance since i am a html and learning php guy. then why use asp? or why be learning php? sorry, but that makes no sense

pgtruesdell -> RE: using asp to force download and disguise file location (1/26/2008 10:06:03)
because i have spookys script and i have been using it for a while now and just want to know how i use that to have a file masked and so they have to login to view it.

Page: [1]

0.09375