Protect PDF files via ASP?

[Brian Madden]

Hello All,

I have what I thought would be a simple problem although I've been searching
for a few hours with no luck.

I have several PDF and MPG files I would like to provide to users to
download via HTTP. I also have a database of user accounts. I would like to
protect the PDF and MPG files so that users cannot "save target as" or "view
source" to directly link to the files.

My first thought is that I would have to remove anonymous access to these
files and/or their parent folder within IIS. I was thinking that I could
then create a Windows account called something like WebUsers and give it
access to that folder. I'm hoping to write some ASP code that authenticates
my users against my own database and, if successful, logs them into IIS via
the WebUsers account (so that all my users share the same account).

My problem is I cannot find an code or method or object to do this. Is there
some simple function that I can use to pass a username, pw, and domain to
IIS to authenticate the user that would then carry through for them to be
able to download non-ASP (PDF, etc.) content?

Or, am I completely thinking about this the wrong way? It seems to me that
this is something that would be fairly common.

Thanks,
Brian

 

[Tim Williams]

You can use an ADO Sttream object to do this: it reads the file from
its location and streams it to the user.


Tim.

 

[Tom Kaminski [MVP]]

Hello All,

I have what I thought would be a simple problem although I've been searching
for a few hours with no luck.

I have several PDF and MPG files I would like to provide to users to
download via HTTP. I also have a database of user accounts. I would like to
protect the PDF and MPG files so that users cannot "save target as" or "view
source" to directly link to the files.

My first thought is that I would have to remove anonymous access to these
files and/or their parent folder within IIS. I was thinking that I could
then create a Windows account called something like WebUsers and give it
access to that folder. I'm hoping to write some ASP code that authenticates
my users against my own database and, if successful, logs them into IIS via
the WebUsers account (so that all my users share the same account).

My problem is I cannot find an code or method or object to do this. Is there
some simple function that I can use to pass a username, pw, and domain to
IIS to authenticate the user that would then carry through for them to be
able to download non-ASP (PDF, etc.) content?

Or, am I completely thinking about this the wrong way? It seems to me that
this is something that would be fairly common.

To add to what Tim said ...

Put the files outside of the wwwroot path so there is no direct URL access
to them. In your ASP code, authenticate your users from your database and
then as appropriate use ADODB.Stream to Response.BinaryWrite the contents of
the PDF.

Here's an example with jpg, just chnage the relevant bits for PDF:
http://www.aspfaq.com/show.asp?id=2161

 

[Brian Madden]

Awesome guys, thanks a lot!

Do any of you have any experience with "Coldlink?" It's a product that does
dynamic URL rewriting that includes keys in the URL that are only valid for
5 minutes. (It works as an asapi filter.) In my case I want my solution to
be as "real" or "normal" as possible. I have people who will be downloading
large video files from a conference, so each file could be several hundred
megabytes.

Thanks again.. I'll be checking this stuff out today.

Brian

 

[Jeff Cochran]

I have what I thought would be a simple problem although I've been searching
for a few hours with no luck.

I have several PDF and MPG files I would like to provide to users to
download via HTTP. I also have a database of user accounts. I would like to
protect the PDF and MPG files so that users cannot "save target as" or "view
source" to directly link to the files.

My first thought is that I would have to remove anonymous access to these
files and/or their parent folder within IIS. I was thinking that I could
then create a Windows account called something like WebUsers and give it
access to that folder. I'm hoping to write some ASP code that authenticates
my users against my own database and, if successful, logs them into IIS via
the WebUsers account (so that all my users share the same account).

My problem is I cannot find an code or method or object to do this. Is there
some simple function that I can use to pass a username, pw, and domain to
IIS to authenticate the user that would then carry through for them to be
able to download non-ASP (PDF, etc.) content?

Or, am I completely thinking about this the wrong way? It seems to me that
this is something that would be fairly common.

To add to the others, this is also futile. If you want me to view a
PDF or an MPG, it has to transfer to my system. Once there it's under
my control, not yours. I can saved it and send it on.

Of course, that only applies to the authorized users after you secure
the files, but you can't truly control content on the internet.

Jeff

 

[Brian Madden]

Oh yeah, I totally hear what you're saying. Unless I get into the DRM for
the MPEGs, I realize that anyone can do anything with the files. I think
some people have the feeling that it's not "stealing" if they just link to
the file on my site, even if it's a deep link to a private area. So by
implementing the methods outlined here, at least people will be forced to
actively get around it (by downloading, saving, and linking) as opposed to
just an "innocent" link to the file on my site.

Thanks again everyone,
Brian