MartinKearns Posted October 5, 2007 Share Posted October 5, 2007 Thank you in advance for any help I might receive...My problem is:I have a website built using ASP, and it is hosted on a Windows 2003 server.The website features SSL through which users can log-in, then access written reports, and images / audio files / video files which support the written reports.When I upload via SSL each image / report / video clip etc, they each then sit on their own unique URL e.g. http://www.mywebsite.com/images/upload/1967124.jpg orhttp://www.mywebsite.com/clips/upload/219.wmv orhttp://www.mywebsite.com/report/upload/58628.docVia their own log-ins, clients can then access / view / download these files; that, in itself, is fine....BUT - there is a potential security loophole; it is possible (albeit unlikely, but that is not good enough!) if you know the unique URL on which any given file sits, to just type /paste it into a browser window NOT protected via the SSL log-in, and view accordingly.Ideally, I need some code which in those circumstances will redirect the browser to a Forbidden 403 error page.Does such a code exist for a website in ASP on a Windows 2003 server?Thank you again for any help you can give. Link to comment Share on other sites More sharing options...
Reg Edit Posted October 11, 2007 Share Posted October 11, 2007 IIS has settings which allow you to enforce use of https. In IIS Manager:- Right-click the the website, and choose Properties- On the Directory Security tab, under Secure Communications, click Edit- On the Secure Communications dialog, check both “Require secure channel (SSL)” and “Require 128-bit encryption”If anyone attempts to navigate to a page on the site without using https, a 403 error occurs.You mention logins also; remember that though SSL provides encryption of the data flow between client and server, it does not control which users can access which resources. For that you will need to look at authentication and authorisation mechanisms. Link to comment Share on other sites More sharing options...
MartinKearns Posted October 20, 2007 Author Share Posted October 20, 2007 Thank you Reg Edit for your advice.Regret to advise that my own techie states that this process does not resolve the problem.I will be grateful for any further suggestions - thanks again! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.