I have built a vb.net web application. I have tried to make it secure, with all users requiring a password to get in.
The only problem is that if anyone can guess (or detect using some kind of hacking tools) the url of the javascript file, they can download it and read it, without even having to log in first.
Is there any way that this can be prevented?
If the javascript file is not required as part of the logon process, then you can secure the file on the server so your users need to be authenticated and authorized in order to access it. This will prevent unauthorized access. Approaches to securing this file include using file system Access Control Lists (ACLs - 'Windows file permissions'), or using the "authorization" element in the ASP.NET web.config.
If the javascript file is required as part of the logon process, then you've got to give anonymous (unauthenticated) accees to the file, in which case you cannot prevent people being able to download it.
Don't serve the JS file up to people who haven't authenticated.
I don't known ASP.NET well enough to say what the best approach would be, but worst case is you stick it in a .aspx file, do the auth/authz stuff at the top, then set the right content type and serve it.
Related
I have a javascript file for admin page only in my site. How to do that, the file was available only for admins. Checking roles performed by cookies. Maybe some sort of a check on the server? Server apache.
ps: sorry for my bad english.
Even if you check cookies from Javascript code [it is possible to check] but the JS will still get downloaded on client computer. I think you want such that no other than admin can download the file. If that is the case, then better use .htaccess or web.config file to resrtict folder which contain admin specific files for proper authentication.
in a tricky solution you can use URL Rewriting as well to prevent file download unless your PHP or server side code verify the user.
I have a got a file server and a web server. They are running on physically different machines.
I would like to download a file from the FTP server via JavaScript. The reason I have to do it via JavaScript is that I have an external application and I can only inject JavaScript into that application.
Basically, I need to specify ftp address username and password. But I am concerning about security as people can view FTP credentials.
What is the best way to implement such scenario?
Thanks for your help
Regards
Javascript only speaks HTTP and WebSockets (on newer browsers), and not FTP. In that situation, keeping it all on the client-side, you'd probably have to write a Flash or Java applet that handles the actual FTP protocol, and interface with Javascript to provide interactivity.
Unless you're planning on redirecting the browser to the ftp site, passing in the username and password? Are you concerned about the users getting the FTP information, or are you concerned with man-in-the-middle attacks sniffing the plaintext FTP credentials?
JavaScript doesn't support FTP. What you need is a server-side or a more robust client-side language to access the remote server.
If by "downloading" you mean "prompt user to save a file from external link" (which basically means open a new window with URL that points to a file) then you can just point user to a script you have control over.
window.open('http://myserver/get_file/filename');
And your server-side get_file script will do all the work of connecting to a FTP and fetching a file
How about creating an iframe and setting the url to ftp://whatever?
first of all my question: Is it possible to pass file names from a running Flash application, which only purpose is to enable multiple-file-selection, to a JavaScript application which handles upload of all files to the server?
I have examined various Flash upload solutions (like SWFUpload, Uploadify, etc.) and none of them meets my needs. I want an easy to implement solution (like Uploadify) which also lets me specify various parts of the HTTP request.
The reason I need this is because my upload form uses session cookies (for user authentication) and an CSRF token both passed to the server when uploading files.
Is it technically possible to pass filenames (+ paths) to a JavaScript application which then handles the upload?
Thank you,
FMD
I'm sorry but no, its not possible to pass the filenames to JavaScript from Flash, however, you could pass the session ID to Flash.
If you are using PHP (I'm not saying you are, your server side language might have similar functions), you could reestablish the session:
session_id($_POST['ses']);
session_start();
The reason why you can't pass the filenames to JavaScript, (or set it by script in the first place) is that it would be a major security issue, consider the following:
var uploader = document.getElementById('id_of_input_type_file');
uploader.value = 'c:\Users\Administrator\Documents\commonBankKeyFile.ebjkeystore';
document.getElementById('formId').submit();
...And there you go, I just got your bank credentials just by you visiting my page, no Phishing needed.
How do I check if the user accepted a file download in JavaScript. Example: If the site pops up a download link, and the web browser asks the user to download the file, how do I determine on that page if the user accepted the download or not?
JavaScript will not have access to that information. In general, JavaScript inside web browsers is limited to simply interact with the DOM.
You may be able to do something on the server-side that logs the start of the download stream, but as #Pointy and #Marcel noted in comments to another answer, this could be quite tricky. In such a case, you would then be able to ask the server for this information using AJAX, or long polling, etc, in near real-time.
You will have to do it indirectly by checking the web server log file via an AJAX call. This will require you to write some server side code (and you must have access to the log files).
There's a second way of doing it, and that's to stream the file through a server side program. That way you can set a flag when the file has started to stream and retrieve this flag via an AJAX call.
I have a directory on my server that I do not want Search Engines to crawl and I already set this rule in robots.txt
I do want people that have logged in to be able to have access to this directory without having to enter a password or anything.
I am thinking that a cookie is the best thing to put on users computers after they login, and if they have a cookie, they can access the directory. Is this possible, or is there a better way?
I want people without this cookie to not have access to this directory - access for members only
Any suggestions on the best design for this?
The answer depends on the webserver used and, if any, also the server side language. Judging your question history, I'll bet that it's Apache HTTPD.
If that is true, then you can just put an .htaccess file in the folder in question to control the access by HTTP basic authentication. If you want more flexibility, you'll need to control it in the server side language in question. Basically you just need to store the logged-in user in the session and check on every request if the user is there and if it is allowed to do the request.
That said, since you tagged Javascript as well, it might be good to know that JS is a client side language and thus can be fully controlled/disabled/spoofed/hacked by the client. Forget about it when talking about security. JS is generally only good for progressive enhancement of the webpage.