Loading ...
Sorry, an error occurred while loading the content.

910Re: Security implemention question

Expand Messages
  • Thanos Chatziathanassiou
    Jan 3, 2003
      Hi Richard,

      Happy new year to the list, BTW.

      richard@... wrote:

      >Can anyone either point out any major problems with this approach, or
      >alternatively (preferably), suggest a better alternative ?
      >In case it makes any difference to peoples ideas/views, I am not using Apache
      >for access control. Users authenticate against a database, then on each page
      >they visit, their user level (taken from the session object) is checked
      >against the access level required for that page.
      >
      Since You already have the users level is the Session object, you can
      have an asp handle the downloads, like this:
      - check if the user has the required level.
      - set $Response->{ContentType} to whatever it is you want
      - open the (out of the webroot) file and while reading it, output to
      the client.

      Now with this approach you will avoid the constant back and forth
      copying of files and
      the remote possibility that a user can guess the filename, but there are
      some drawbacks:
      - the ``heavy'' apache mod_perl process will be tied up for the duration
      of the download, so depending on your setup, the size of the download
      and the speed of the clients you might need more httpds running. The
      mod_perl guide can help you more on this - rather large - subject
      (http://perl.apache.org/docs/1.0/guide/index.html)

      I really don't know if the above is a better solution, just a thought.

      Regards,
      Thanos Chatziathanassiou



      ---------------------------------------------------------------------
      To unsubscribe, e-mail: asp-unsubscribe@...
      For additional commands, e-mail: asp-help@...
    • Show all 5 messages in this topic