Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
RE: Controlling access to pdf/doc files
From: Mark Mcdonald (m.mcdonaldcgl.com.au)
Date: Wed Feb 25 2004 - 02:12:47 CST
If you're using IIS, you could easily write an ISAPI filter (DLL) and implement it at the site (or directory, as required) level to check the authentication, and set the filter to PDF, DOC and any other file extensions you want filtered.
I have not attempted to do this, nor am I aware of anyone else implenting it, but I can't see any reason why it wouldn't work.
Mark McDonald | CGL
is | web developer
From: Sangita Pakala [mailto:sangita.pakalapaladion.net]
Sent: Tuesday, February 24, 2004 11:22 PM
Subject: Controlling access to pdf/doc files
Could I have the list's thoughts on an answer we are preparing for the
next version of the AppSec FAQ at OWASP.
Question - How can I ensure my application allows only authenticated
users access to files like *.pdf or *.doc?
Issue - Suppose a web site, say a bank site, displays the user's account
statement as a .doc file. What if someone tries to access this file by
typing its full URL into the address bar? How does the application check
whether the user trying to access the file is the authenticated user and
that the session has not expired?
Solution - One solution is to have a random number for the name of the
file or the folder containing it. This random number could even be
related to the session token of the user. This file/folder should then
be deleted as soon as the user's session has expired.
Are there better methods available to address this issue? Can the web
server run a server side program to verify the session token before
serving the final GET request for the file?
OWASP AppSec FAQ