Client side access

[Jon Slaughter]

How do I go about accessing some client side control? I'm trying to design
a web site in asp.net(well, I want to but I'm seeing that JSP might be
better. I don't like java but I do like the fact that JSP is portable and
supposedly have better features than ASP).

Anyways, My web site needs to get some files from the client side and
compute its hash BUT not upload it to the server first. (because it would be
way to slow and a useless to do since I don't care what the the file
actually is except its hash). Can I do this with asp? Do I have to write an
active X control are use java?

I want the code to be hidden from the user as much as possible as I don't
want certain people to see how I compute the hash(because they will be able
to view the hash and might use it for bad purposes).

Is this possible? I suppose that any time code is going to be ran on the
client side there is the possibility of hacking the code but I do not want
it to be something obvious like a VB script(and definately do not want them
to be able to modify the way the hash is created).

How can I go about this?

Thanks,
Jon

 

[Nathan Sokalski]

If something needs to be run on the client-side or use a file without
uploading it, you will need to use ActiveX, because ASP.NET does not have
access to files on the client, and cannot execute files on the client. The
reason ASP.NET was designed this way is for security reasons. If you don't
like java, I would suggest you take the ActiveX approach so that you can
take care of this scenario and do the rest with ASP.NET. I will admit that I
have never written ActiveX or JSP (although I have written java), so I can't
say which one is better, but if they will both work for your scenario, it is
usually better to choose the one you are more comfortable with.

 

[Thomas Hansen]

[snip]
Redesign your whole application!
Don't use ActiveX and DON'T use Java Applets...!!

If you need to hash files on the client side I'm willing to bet
multiple vital organs you WILL get into security problems and you WILL
compromise security!!

..t

 

[Jon Slaughter]

[snip]
Redesign your whole application!
Don't use ActiveX and DON'T use Java Applets...!!

If you need to hash files on the client side I'm willing to bet
multiple vital organs you WILL get into security problems and you WILL
compromise security!!

My application hinges on doing the hashing. Its sorta like CDDB with files.
It does me no good if I can't hash.

Its more important to hash than have a secure hash(e.g., if people see how I
hash then its not such a big deal but I want to try and keep it private if
possible).

So I could have the user run a client side app that computes the hash and
then they copy and paste it into a web form but thats pretty much useless.
It needs to be automated as much as possible. If I can get the hash part
down then the rest can be done on server side. (all they will need to do is
say which files are to be used)

This is not much different from how an online virus scanner works so its not
impossible. I can upload the hash's seperately but I would like to make it
as transparent as possible.

I initially was going to write an application in C# that did this and used
an SQL database but the problem is with the security of the database(which
is the most important thing. If someone gets in there and screws it up then
its useless. By doing the security on a server I can do a much better job
than if some 12 yr kid reversed engineered my C# app and got the SQL
information and then hacked the server(or tried)).

I'm thinking that either I have to write a small java applet that computes
the hashes and uploads them to the website or write a stand alone
application that does everything. Each pose there own problems and it all
boils down to security. In the second cause I don't see how to solve the
issue and in the first I would just have an "insecure hash". This isn't that
big a deal I think because they can't do much with it(well they can but its
not as important at this point)).

Its kinda useless if I have 100k(assume) users all uploading there files to
be hashed. I'd require a mega server with a huge bandwidth. This is
necessary cause the hashing can be done on there side quite easily.

I think my best choice as the moment is to use java.

Jon

 

[Jon Slaughter]

If something needs to be run on the client-side or use a file without
uploading it, you will need to use ActiveX, because ASP.NET does not have
access to files on the client, and cannot execute files on the client. The
reason ASP.NET was designed this way is for security reasons. If you don't
like java, I would suggest you take the ActiveX approach so that you can
take care of this scenario and do the rest with ASP.NET. I will admit that
I have never written ActiveX or JSP (although I have written java), so I
can't say which one is better, but if they will both work for your
scenario, it is usually better to choose the one you are more comfortable
with.
--

Well, the issue with activeX is that it only works with IE? I don't like
java but if its the best thing to use for my problem then I don't mind.
Since I only need it to compute some hashes and transfer them to the server
side then its not a big deal to code(or shouldn't be).

The main issue I have is one of computing the hash and it being hacked. Its
not a huge issue but as a precaution I'd rather prevent it from easily being
reversed engineered. (not that it will be but if its a VB script that is
downloaded then someone might get a *bright idea* and cause some trouble.)
Not that its likely but I was wondering if I could prevent it.

I know ultimately its impossible because if I compute the hash on the client
side then it can be *seen* in some way(it has to be). But if I compute it on
the server side then I have to transfer the file. The first case is the
lesser of two evils here. (the hashes are not "private" in any way)

Thanks,
Jon