Messages
Reply
Edit
Delete05:35 am
3PC0BZZG8
| From: | Marty Cantwell |
| To: | Mike McDonald |
I've never found a way to use Basic Authentication without user interaction. So the only way I've found to do what you are attempting is to use a server proxy to serve up the files instead of doing so with IIS. There are a couple of ways I've used to do this myself.
One way is to have your server copy the file(s) into a folder structure which has Anonymous access and redirect the user directly to the file(s). For higher security you could hash the name of the specific file(s). Then after a timeout period of your choice, your app could then delete the files or you could use Rick's cool FileDelete.exe utility that comes with Web Connection do this housekeeping.
Another way is to use your application to stream the files to the user directly. You would have to manage the 'directory listing' of the files the user sees, but from your description it sounds like you may already do that anyway. This way your files are always stored in a proteced folder that your app has access to and never directly exposed to the public Internet.
I have personally used both these methods and they help ensure that the user getting a file is authenticated through the app, especially the latter method.
Marty
All -
Is there any way to set something in the response of an HTML page that would cause the visitor's browser to become authenticated within IIS, without bringing up the authentication dialog?
Our system allows users to log into the website, which we track using a session cookie and the wwSession table. This concerns our own user database, and has nothing to do with IIS authentication. Most subsequent requests go through our web app and it will confirm the user as necessary.
However, depending on the client, our pages include links to other media files (PDF files, etc) located within certain subfolders. Right now these subfolders allow Anonymous Access, and anybody could view the files if they have the appropriate links. There is really nothing 'critical' in these files, but the client would like to have it set so that anyone hitting these links be confirmed as being 'logged in' (to our system).
What I would like to do is when a user logs in, we send something in the response that causes that browser session to become authenticated automatically, instead of bringing up the authentication dialog and the user having to know the proper credentials. Then we could set the appropriate subfolders to require authentication before serving up the files. These files are not getting served through the WC app, but directly from IIS.
Is this possible, or is the authentication dialog required to be shown to the user for security reasons?
- Mike McDonald
Software Design of Kentucky
