|
| |
|
|
adambrooks
Posts: 145
Joined: 1/8/2002
From: Charlotte / Matthews NC USA
Status: offline
 |
using asp to force download and disguise file location - 10/20/2004 16:26:05
i am looking for some tips or tricks to force a download and mask or hide the url from which it is being pulled. this would be useful for example, if you were selling digital files, software, ebooks, etc. i would like to find a way to use ASP to do it, but will consider other options if it gets the job done.
here's my vision:
- some one logins in via email address and order number
- has a link to a downloads.asp?id=100 file with download unique id number in querystring
- asp page passes the querystring "id" to database of on-site files and locations
- asp file authenticates the user account, orders, and licensing rights
- if authenticated, force download
- if authentication fails, redirect to upgrade account / cart
i can piece most of it together, but need a way to hide the location of the file being downloaded.
ideas?
|
|
|
|
Spooky
Posts: 26599
Joined: 11/11/1998
From: Middle Earth
Status: offline
|
RE: using asp to force download and disguise file location - 10/20/2004 21:08:07
Heres an example that you may like to mess with:
<%@ Language=VBScript %>
<%Response.buffer=True
'///////////////////////////////////////
'// This is the server path to your files folder (it WILL need changing)
'///////////////////////////////////////
filePath = "D:\Inetpub\wwwroot\files\"
'///////////////////////////////////////
'// First, see if the user has logged in
'///////////////////////////////////////
If Session("UserName") = "" then
'Redirect and retain any querystring values
Response.redirect "/login.asp?Redirect=" &Request.Servervariables("URL") &"?" &Request.Servervariables("QUERY_STRING")
End If
fileName = request.querystring("f")
'///////////////////////////////////////
'// Log the download
'///////////////////////////////////////
' Insert logging code here
' Eg - record the user and download in a seperate database / text file
'////////////////////////////////////////
'// Check file path
'////////////////////////////////////////
if instr(fileName,"/") > 0 OR instr(fileName,"\") > 0 OR instr(fileName,".as") > 0 then
response.end
End if
'////////////////////////////////////////
'// Send the file.
'//
'// Here, I also recommend you compare the username with an allowed file list
'// (if the user is only allowed some files and not others)
'// A logged on user can still guess file names by adding to the querystring
'//
'// The file is sent to the user, using the code "download.asp?f=filename.ext"
'// So, if the file is called setup.zip, youll use a link "download.asp?f=setup.zip"
'//
'////////////////////////////////////////
Response.ContentType = "application/asp-unknown"
Response.AddHeader "content-disposition","attachment; filename=" & fileName
Set FStream = Server.CreateObject("ADODB.Stream")
FStream.Open()
FStream.Type = 1
FStream.LoadFromFile(filePath&filename)
Response.BinaryWrite FStream.Read()
FStream.Close
Set FStream = Nothing
Response.End
'////////////////////////////////////////
%>
< Message edited by Spooky -- 11/15/2006 17:27:01 >
_____________________________
If you arent part of the solution, then there is good money to be made prolonging the problem
§þ k¥
| |
|
|
|
adambrooks
Posts: 145
Joined: 1/8/2002
From: Charlotte / Matthews NC USA
Status: offline
|
RE: using asp to force download and disguise file location - 10/20/2004 22:17:54
awesome. i will give it a shot and let you know how it goes.
| |
|
|
|
adambrooks
Posts: 145
Joined: 1/8/2002
From: Charlotte / Matthews NC USA
Status: offline
|
RE: using asp to force download and disguise file location - 10/20/2004 23:48:03
works awesome. exactly what i was looking for.
| |
|
|
|
Contagion
Posts: 7
Joined: 11/15/2004
From: Redmond, WA
Status: offline
|
RE: using asp to force download and disguise file location - 11/15/2004 19:50:13
Great code snippit, and when I tested it with a small binary (command.com) everything worked perfectly. When I replace it with a large file however I error out before I get a download dialog.
My situation is this:
I have a couple of CD ISO images that I'm making available internally. In order for users to access the image they need to read the TOS page reminding them that of IP stuff, blah, blah, and then they can access the file through that page. (Which submits to an asp page the checks some form variables, and who the referring page is)
We want the users to go through this page for all downloads of this ISO, so we want to obscure the URL so they can't access it directly. (Yeah, security through obscurity, I know.. but I'm also working on making it so the ASP process has rights to the files, and not individual users.)
As you might imagine, that code above is delightfully perfect, but it doesn't work for me when I simply change the file from command.com to the iso in question. Not sure where to go on this now so any tips would be much appreciated.
| |
|
|
|
aaronwiles
Posts: 200
Joined: 7/5/2004
From: Aaron Wiles
Status: offline
|
RE: using asp to force download and disguise file location - 11/15/2004 20:43:53
Reply to above (Contagion)...
It should work all the same not matter the size of the file & a iso file should have no problems downloading.
Try using a blank text file named the same as your ISO and try downloading this using a link as above, if this works then simply replace the file with your ISO & try again. If at this stage it does not work then... well you still have a problem, so let us know.
What exactly happens when your try downloading the iso file as it currently stands? Do you recieve an error message? If so what is this message?
_____________________________
You really never learn to swear until you get a computer.
| |
|
|
|
Contagion
Posts: 7
Joined: 11/15/2004
From: Redmond, WA
Status: offline
|
RE: using asp to force download and disguise file location - 11/16/2004 14:13:10
Okay.. further details.
Placing an empty text file of the same name in the directory returns the same error. Presumably that's just an error with the code trying to read in an empty file, need to put in some error handling so I can output that instead of returning a stream... :(
Placing a text file of the same name with 1 character in it in the same directory succesfully downloads.
The ISOs are between 163Mb and 256Mb and take about 8 seconds for the error to pop up.
The error that comes up is...
"Internet Explorer cannot download ISOReDir.asp from mmweb.
Internet Explorer was not able to open this Internet Site. The requested site is either unavailable or cannot be found. please try again later."
This pops up over the top of a download dialog.
| |
|
|
|
Contagion
Posts: 7
Joined: 11/15/2004
From: Redmond, WA
Status: offline
|
RE: using asp to force download and disguise file location - 11/16/2004 14:13:48
Buffer sizes? Timeouts?
| |
|
|
|
Contagion
Posts: 7
Joined: 11/15/2004
From: Redmond, WA
Status: offline
|
RE: using asp to force download and disguise file location - 11/16/2004 14:50:34
quote:
ORIGINAL: Spooky
Whats the exact script / path you used?
Here's the whole source of my page. For what it's worth I've manged to workaround by just using a response.redirect to the file in question (which you can see me testing in one of the cases in my code). I'm guessing that using that method allows for some network sniffing to determine the file location, but we're not really worried about security at that level. I just liked the idea of streaming the file so nobody was ever hitting the real one.
<%@language="vbscript"%>
<%
Response.Buffer = true
DIM sendBack, ImageType
sendBack = FALSE
imageType = request.form("txtImageType")
IF not IsNumeric(imageType) THEN imageType = 0 ELSE imageType = cint(imageType)
IF lcase(request.servervariables("http_referer")) <> "http://mmweb/serverissues/totalcontrol/iso.asp" THEN
sendBack = TRUE
ELSEIF not isNumeric(request.form("txtImageType")) THEN
sendBack = TRUE
ELSEIF imageType < 1 or imageType > 3 THEN
sendBack = TRUE
ELSE
DIM filePath
filePath = "D:\Inetpub\wwwroot\mmweb\serverissues\TotalControl\ISO\"
Select Case imageType
Case 1
response.Redirect("ISO/x86PETCCDv12-Generic2.iso")
Case 2
filename = "x64PETCCDv2-Generic2.iso"
Case 3
filename = "ia64PETCCDv96-Generic1.iso"
End Select
Response.ContentType = "application/asp-unknown"
Response.AddHeader "content-disposition","attachment; filename=" & fileName
Set FStream = Server.CreateObject("ADODB.Stream")
FStream.Open()
FStream.Type = 1
FStream.LoadFromFile(filePath & filename)
Response.BinaryWrite FStream.Read()
FStream.Close
Set FStream = Nothing
response.End
END IF
IF SendBack THEN%>
<html>
<head>
<meta name="GENERATOR" content="Microsoft Visual Studio.NET 7.0">
<meta name="CODE_LANGUAGE" content="Visual Basic 7.0">
<meta name="vs_defaultClientScript" content="VBScript">
<meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5">
<link href="policy.css" type="text/css" rel="stylesheet">
</head>
<body>
<h3 align=center>Download failed</h3><br><br>
We're sorry, there was an error attempting to download the iso image. Please ensure that you are accessing this
image via the <a href="http://mmweb/serverissues/totalcontrol/iso.asp">Total Control ISO Download page</a>.<br><br>
If problems continue, please send mail to the <a href="mailto:mmadmin">Multimedia Server Admins</a> alias.
</body>
</html>
<%END IF%>
| |
|
|
|
Contagion
Posts: 7
Joined: 11/15/2004
From: Redmond, WA
Status: offline
|
RE: using asp to force download and disguise file location - 11/16/2004 14:59:08
Hmm... not sure if this is useful...
changing the ContentType from "application/asp-unknown" to "application/octet-stream" allows me to at least get a dialog prompting me to save.
However the filename isn't pushed forward to that dialog, and even if I select "save" I then hit the same error as before. But the behaviour is definately different.
< Message edited by Contagion -- 11/16/2004 15:09:39 >
| |
|
|
|
GoGo
Posts: 3
Joined: 11/17/2004
Status: offline
|
RE: using asp to force download and disguise file location - 11/17/2004 3:33:29
I have a problem with force download from other server. Can you help me with this?
| |
|
|
|
aaronwiles
Posts: 200
Joined: 7/5/2004
From: Aaron Wiles
Status: offline
|
RE: using asp to force download and disguise file location - 11/17/2004 17:38:00
Err.... What's the problem????
_____________________________
You really never learn to swear until you get a computer.
| |
|
|
|
GoGo
Posts: 3
Joined: 11/17/2004
Status: offline
|
RE: using asp to force download and disguise file location - 11/18/2004 11:45:06
Mp3 downloader. When I upload songs throw form at my server force download work fine but if I make link to some song on the other server then I stuck. Path is stored at MS Access database. At first case path is "/mp3/songname.mp3" and at second "http://www.some_domain/some_directory_songname.mp3"
| |
|
|
|
Contagion
Posts: 7
Joined: 11/15/2004
From: Redmond, WA
Status: offline
|
RE: using asp to force download and disguise file location - 11/18/2004 18:34:00
Does your server have a MIME type defined for MP3? Some versions of IIS 404 error when you try to connect via HTTP to a file with an undefined MIME type. I believe this is by design as a security consideration.
| |
|
|
|
GoGo
Posts: 3
Joined: 11/17/2004
Status: offline
|
RE: using asp to force download and disguise file location - 11/19/2004 4:46:00
I don't know. if song is at my server everything work fine but problem is if i'm linking some unknown server and I know only path for example http://www.some_site/somg.mp3
| |
|
|
|
Contagion
Posts: 7
Joined: 11/15/2004
From: Redmond, WA
Status: offline
|
RE: using asp to force download and disguise file location - 11/22/2004 14:43:23
Hmm.. if you know that file is really there, but the other server won't let you download it, I'm guessing they are doing something with checking the HTTP_REFERER so that external sites can't link to their file.
| |
|
|
|
smcfarland
Posts: 680
From: Nashville, TN
Status: offline
|
RE: using asp to force download and disguise file location - 11/22/2004 15:36:31
I would recommend downloading CandyPress shopping cart (candypress.com) and looking at how they set up their download purchases.
Basically, you set a folder name in the admin section, then, they dim the folder through an asp page so that when someone logs in and purchases a download it automatically redirects and opens the file to save/download without giving the folder's destination information.
I typed this all out and realized Adam's post was two years ago... but I guess if anyone needs a good solution...
_____________________________
Summer McFarland
Renter's ruined our home - Wanna help?
| |
|
|
|
pgtruesdell
Posts: 4
Joined: 12/17/2007
Status: offline
|
RE: using asp to force download and disguise file location - 1/26/2008 0:55:11
i am a complete newbie to asp so how would i modify the script to use it for just disguising a location of a file and giving access only if it they were logged in?
sorry in advance since i am a html and learning php guy.
| |
|
|
|
dpf
Posts: 7121
Joined: 11/12/2003
From: India-napolis
Status: offline
|
RE: using asp to force download and disguise file location - 1/26/2008 9:45:50
quote:
sorry in advance since i am a html and learning php guy.
then why use asp? or why be learning php? sorry, but that makes no sense
_____________________________
Dan
| |
|
|
|
pgtruesdell
Posts: 4
Joined: 12/17/2007
Status: offline
|
RE: using asp to force download and disguise file location - 1/26/2008 10:06:03
because i have spookys script and i have been using it for a while now and just want to know how i use that to have a file masked and so they have to login to view it.
| |
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts
|
|
|
Printable Version 
