I have some Word files which need to have hyperlinks. The hyperlinks go to an htm file with an anchor, but that htm file isn't provided via a direct url for security reasons. Rather it is linking to a ashx handler file that retrieves the file and does an response.write to show the html file in the browser. Before it does this, though, it checks to back sure that there's a valid session, and if there isn't then it just redirects to the login page. This works fine when linking from within the ASP.Net site, but when I link to it from a local MSWord file, it apparently doesn't know there's a valid session (even though I've logged in in the browser), and redirects to the login page. Is there any way around this? For compatibility these Word documents need to be in Word 97-2003 format unfortunately...
No. This won't work.
Opening the word file outside of a browser and clicking on the link is going to start a brand new session; regardless of whether you currently have a browser window opened on the site.
Because a new session is starting, the web server will assume you aren't logged in at all. Which, technically, you aren't.
Related
I'm trying to download a municipal planning plan together with all the relevant documents.
All documents can be reached from the following link
I've tried the following command (that worked well for other sites) and some variations without success.
wget -E -k -r -l 3 "http://www.mavat.moin.gov.il/MavatPS/Forms/SV4.aspx?tid=4&et=1&mp_id=ppnCWTcsST9gG0%2fa0ayWnjFyZ%2bo14s221Ujlpi7UvR4jIRAHLKhJ8lOLSkomZ%2fvlHk8b2T0oENpI6Wh2hKzxQJCw9BPJP8gav%2ftgiKlk5S0%3d"
The same plan in their new site I can't get the files either,
https://mavat.iplan.gov.il/SV4/1/5000931297/310
I'd appreciate any help.
Well, these days, and especially with .net web sites?
We don't use hyper-links with a simple (full) path name to actual files from the web server. In fact in most cases one will not even give the web server rights to those folders. (they are not exposed to Internet Services).
So, no actual links as a full "url" to documents exist.
What happens is when you click on a button or button link? Then the code behind on the web server runs. (and that is code you don't have). And further more, that code behind can browser, read, retrieve any file from any folder on the server or other servers. But links from the web site don't exist and it not even possible to type in a url to resolve to a actual file name on the server.
So the server side code (not internet services) goes and grabs the document. In fact, the documents could be in a database. So, the code behind on the server side runs and pulls the binary data from the database (which represents a valid PDF file). Or the code behind reads the file from disk and then STREAMS the file for a download.
Now, this is often done for reasons of security. It means that no valid URL exists to get at a document.
Not only is this done for security, but from a developer point of view, it often better to retrieve a row from a database. That row can have the information you SEE rendered on that form, but the web page is not static, and the display of information is thus a developer coding a pull of rows from a database, and then you simply "assign" that data to some type of control - save datagrid, or listview or whatever. (this assignment of data is only 1 or two lines of code, and then the control + web server renders that datagrid control.
So, this is done since the developer thus only assigns the result of a database query to the control when then renders on the form. Thus, to add or remove documents? Then you only have to edit the database for the information on the web page to render.
As a result? There is no direct links to the actual documents on the server. To retrieve a document, you would have to send to the web site the exact command required.
You can hit f12 (most browsers support this). This will put your browser into developer mode. If we do this, and then select elements (select element feature). Now click on a pdf link. You get this:
<img src="../images/ft/file_PDF.gif" style="cursor:pointer"
onclick="openDoc('99000526871729',
'AABA7BE646E182B67DB1C15220E531DF36BBB591D8EEA7757435B2606C08E6F9')">
So, note above. The above code event openDoc is the SERVER side code you have to run to retrive a document. There is thus NO link. And you not going to be able to wire up, or run your OWN web page that hits that server and runs the routine "onclick".
However, the onclick DOES expose the internal database document numbers used to pull/read and retrieve a given document. But the path name, and how the code gets/grabs this file? You have no idea, and HAVE to run server side code (c#, or vb.net) code. That code as noted grabs the file and then uses code to "stream" the file when you download or click on a link.
So for simple HTML like pages? Well, for those that took a one day HTML course? Sure, such web sites will have scr=some path name to a valid url). And these simple systems thus allow you to enter a URL to grab/get a document. And those documents are fully exposed to the web site, and a simple valid URL path name to a file exists. Not so with asp.net, and as noted, this is not only done for security, but it a better over all developer experience to write code that grabs the files as opposed to rendering full path link names to files.
There are many additional benefits. For example, the database that drives this likely has a setting (or some settings) that contain the path names to the documents. If they run out of storage, or say want to move older files to a much slower storage system, which of course is much lower cost? Then can move the files, and update the path name columns in the database. The web site will continue to work, since we NEVER using a exposed URL on the web site. And as noted, actual direct URL's don't exist, and the web server (IIS) as opposed to the code behind will not even have rights to the file names.
As a result?
You not be able to simply pull the web page, and THEN extract the URL's to file names.
What you might be able to do is write code that loads the web page, and then scans all the event code stubs for the links, and have your code click on each button with web browser automation. But, even that don't allow you to enter file names into the download prompts.
So, what you ask is not easy, likely not possible, and a very difficult task. And the simple reason is that site does not use simple HTML and static links to files, and it never actually exposes a direct link to files, and even worse yet is the web server does not have or even allow a URL direct link to a site - they don't exist, and the web site will not even have rights or even allow such URL's to file names. (only the .net code behind does - not internet services).
and grabs the document and then code "streams" the file to to the web site or link you clicked on. So the simple HTML coders in the past would create say a folder (usually a virtual folder) that points to the files on some server/folder. But with .net, it easier (and far more secure).
Modern development tools don't use old fashioned ideas like a URL's to directly retrieve a file - they are designed differently.
In some cases, URL's are allowed or created, and this is done for reasons of sharing links. So if you have a cute video or document? Then the designers of the system will often permit use of parameters in the URL, so you can share a link to someone else. This page has no such provisions. So, you can share a link to the page, but no actual URL to documents or even provisions to allow URL's to a document even exists.
So this quite much means to retrieve a document, you have to go to that web page, and ONLY when you click on a document will the web site "stream" down that one particular document in question.
I have the following scenario, and I wanted suggestions on what is the best way to handle this. My web app (ASP.NET 2.0 / IIS 6) generates PDF files, and I have a results page with links to those PDFs.
Now, I noticed that if I visit the results page, click on a PDF file (it opens in a new window), then re-generate the PDF file, and click on the same link in the results page, the OLD PDF is shown, instead of the new one. I had to delete the temporary internet files in order to see the new one.
So, since I'm NOT serving an ASPX that actually writes the PDF (and I do not want the Save dialog to show), but straight linking to the PDF file, I want to know what the best way to make sure the user always sees the latest file in the server, not a cached version.
I'm guessing adding no-cache headers is out of the question. But the PDF request would still go through an HTTP handler, so I'd like to know if I should create a specific HTTP handler to intercept requests for PDFs, or if i should do this at the IIS level...however I dont necessarily want to avoid caching ALL PDF's on that site.
Any suggestions? Thanks in advance for the help.
If your link to the pdf document had a unique querystring appended I believe that would prevent caching. Time in ticks is a good one to use, eg:
string.Format("{0}?t={1}", pdfFileUrl, DateTime.Now.Ticks);
I just had a similar issue. I have my page allows users to input data and generate new a pdf file Save clicked. The new pdf file overwrites the old one. In IE8, when user click the pdf link after the Save, the old pdf will always showed (user need to clear the cache to display the new one).
After hours of searching, I found that in IIS6, go to 'Output Caching', add a new cache rule with file extension '.aspx', tick both 'User-mode caching' and 'Kernel-mode caching' then under both options, select 'Prevent all caching'. This is working for me!
The fact the clearing your temporary internet files gave you the new version shows the browser is the source of the cache. You could turn iis caching off but that wouldn't stop proxies caching the document. If you need to be 100% sure that the user sees that latest version, I suggest using a query string value to cause the url to be different. The query string could be the pdf generation timestamp.
What are the differences between
Response.AddHeader("Content-Disposition", "attachment;filename=somefile.ext")
and
Response.AddHeader("Content-Disposition", "inline;filename=somefile.ext")
I don't know the differences , because when I use one or another I always get a window prompt asking me to download the file for both of them. I read the specs, but it is clueless.
Because when I use one or another I
get a window prompt asking me to
download the file for both of them.
This behavior depends on the browser and the file you are trying to serve. With inline, the browser will try to open the file within the browser.
For example, if you have a PDF file and Firefox/Adobe Reader, an inline disposition will open the PDF within Firefox, whereas attachment will force it to download.
If you're serving a .ZIP file, browsers won't be able to display it inline, so for inline and attachment dispositions, the file will be downloaded.
If it is inline, the browser should attempt to render it within the browser window. If it cannot, it will resort to an external program, prompting the user.
With attachment, it will immediately go to the user, and not try to load it in the browser, whether it can or not.
It might also be worth mentioning that inline will try to open Office Documents (xls, doc etc) directly from the server, which might lead to a User Credentials Prompt.
see this link:
http://forums.asp.net/t/1885657.aspx/1?Access+the+SSRS+Report+in+excel+format+on+server
somebody tried to deliver an Excel Report from SSRS via ASP.Net -> the user always got prompted to enter the credentials. After clicking cancel on the prompt it would be opened anyway...
If the Content Disposition is marked as Attachment it will automatically be saved to the temp folder after clicking open and then opened in Excel from the local copy.
I'm still rebuilding old ASP to new and iframing certain things that take up too much time.
I'm stuck at a search function that normally returns an excel file (browser asks save or open). the result page for this is now iframed but it does not seem to propagate the file anymore, so no more save-file popup.
I must add that this iframe is being filled through a custom httphandler that posts to the old pages based on certain criterie, the searchcriteria in this case.
does anyone have an idea on how I could make the excel propagate once again?
The way to ensure you get a save-file prompt and not a page, do the following:
Open the file in ASP
Send the MIME header for Excel
Stream out the file from ASP
You may also choose to hold the files outside of the web root so they cannot be downloaded directly.
Here are a few examples: 1 2 3
This may come in handy as well:
How to output an Excel *.xls file from classic ASP
It *seems* like a security issue. What happens if you open the URL which is being loaded in the IFrame in a new browser? To confirm it, you can try opening the URL, and see what happens.
Let's say we have a web site with a CF app that was written in-house.
Assume that:
Server 2003 IIS6 or 2008 IIS7 will be used
ColdFusion 8 will be used
Directory browsing is denied
SSL is required to connect
The account login process is secure (yeah I know that is a whole other
ball of wax but that concept is discussed ad nauseum on the web).
Say I have a file at https://domain.com/folder1/folder2/ with a name like picture92352.ext imagine it as a jpg or pdf or whatever. The entire path between the domain name and the file varies widely in naming structure, depth, etc. Files are not all lumped together in one folder.
The app restricts links by user such that a user would have to have access to that file to find it in the first place but as it stands now if a person knew the full URL to that file they could retrieve it without logging in to the app. It's the classic security by obscurity situation. A random person isn't likely to find a file they shouldn't get to but once someone is given access they know how to access it from another PC where their actions might not be traced back to them.
How do I restrict access to these files before someone logs in and still make them accessible to outside users after they log in? Is there a way to do it with permissions only or is the only answer to have code dynamically moving files around at the time of the request or is there some obvious step I'm not even thinking of?
Let me clarify this slightly. No matter how the file is presented on a page a user can use the browser IE, Firefox, etc to examine the URL the file comes from. If the image is a link there is always copy shortcut in the right click menu for IE and the same functionality in FF is called copy link location. If the image is displayed inline as part of the page an IE user can right click and choose properties to see the URL, in FF the same functionality is present to see properties but there is an even quicker more convenient option labeled copy image location. Once a user knows the URL to a file if the location or file name doesn't change they can use that URL without authenticating in the CF app.
If I change the NTFS/share permissions so that IUSR can't see the content then my CF app and IIS can't push it. What strategy do I use to provide the file in the CF app that doesn't leave this hole open?
You could write a CFM page that serves up the images. Then you just make sure they are authenticated inside the CFM.
<!-- something like this -->
http://localhost/GetFile.cfm?file=foobar.jpg
In GetFile.cfm, you would do something like:
<!-- the filename part is what the browser will pre-popualate the file name in the download dialog as -->
<CFHEADER name="Content-disposition" value="attachment;filename=picture92352.ext">
<CFCONTENT type="text/plain" file="\\fileserver\folder1\folder2\picture92352.ext">
Take a look at the various MIME types.
If you wanted to do something similar but keep a more natural URL, I think you would need to leverage the Java servlet underpinnings of ColdFusion to create a handler for any URL matching a certain pattern.