in reply to file download security

I'm boggled by this. Is there some reason why you can't turn on password protection in the webserver? I'm pretty sure they invented that for things like this. There isn't much in the way of gymnastics you can do to fix this.

My best suggestion would be that you let them select which file they want at the same time as they are offered the password login. Then, have the download script check that they have asked for a legitimate file AND that they have entered the password. If they don't give you any post/get data, redirect them to the front page and if they give you bad data show them an error. I think that is the best you are going to do.

And if you really are checking the password in javascript and you dared utter "secure" in the same breath, I'm never speaking to you again. =) =)

--
$you = new YOU;
honk() if $you->love(perl)

Replies are listed 'Best First'.
Re: Re: file download security
by lonewolf32 (Initiate) on Apr 15, 2002 at 15:54 UTC
    I know - this won't be terribly secure. We are a small "niche" company, few ordinary people would want to download our stuff. I just want to get past the obvious security holes that a casual user would be tempted by.
[reply]
      Welll, OK. *eyes you suspiciously* =)

      I still don't understand why you don't just turn on some sort of webserver authorization for the directory you place the files in. That would solve your problem with exactly 0 lines of code...

      --
      $you = new YOU;
      honk() if $you->love(perl)

[reply]
        can you be more specific? The only thing I know how to do on the server is set permissions on files/directories using the NT interface... but like I said if I restrict access to that directory, I can't link to it either.
[reply]
        could you be more specific? I know how to set up file permissions within NT but like I said before if I restrict a file or directory my calling file can't get to it either.
[reply]

In Section Seekers of Perl Wisdom