david_navigator Posted March 22, 2021 Share Posted March 22, 2021 If I understand correctly, with UniGUI all files that need to be served to any user go in a common /files/ folder. So how do I stop User 1 from viewing User 2's files (I'm using the UniPDF viewer). For example, if I generate a pdf for User 1 with a copy of their invoice (user1_invoice.pdf), how do I stop User 2 just making a guess and typing in https://www.mydomain.com/files/user1_invoice.pdf in an attempt to find a copy of user 1's invoice. I can obviously use a random name for the pdf, maybe using a GUID e.g user1_B12CBDDD-A333-4ADA-888D-DAF0A1894D40_invoice.pdf but it doesn't feel like it's the correct (and secure) way to do this. Any suggestions please (I need to display the pdf in the UniPDF control, not I can't just download on client machine) ? Thanks David Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 16 minutes ago, david_navigator said: If I understand correctly, with UniGUI all files that need to be served to any user go in a common /files/ folder. So how do I stop User 1 from viewing User 2's files (I'm using the UniPDF viewer). For example, if I generate a pdf for User 1 with a copy of their invoice (user1_invoice.pdf), how do I stop User 2 just making a guess and typing in https://www.mydomain.com/files/user1_invoice.pdf in an attempt to find a copy of user 1's invoice. I can obviously use a random name for the pdf, maybe using a GUID e.g user1_B12CBDDD-A333-4ADA-888D-DAF0A1894D40_invoice.pdf but it doesn't feel like it's the correct (and secure) way to do this. Any suggestions please (I need to display the pdf in the UniPDF control, not I can't just download on client machine) ? Thanks David Hello, if I can offer you: Connect a user to a user session so that only the user opens that session to see the pdf. Something like: 1. Create a pdf named usersession_pdfName.pdf 2. When viewing the url, make sure the user session is the same as the pdf name Or even cookie for user pdf creation procedure. 1 The user starts to create a pdf, before starting the procedure, create a temporary cookie 2. the user opens the pdf, but before opening the pdf check the cookie Quote Link to comment Share on other sites More sharing options...
david_navigator Posted March 22, 2021 Author Share Posted March 22, 2021 7 minutes ago, irigsoft said: Hello, if I can offer you: Connect a user to a user session so that only the user opens that session to see the pdf. Something like: 1. Create a pdf named usersession_pdfName.pdf 2. When viewing the url, make sure the user session is the same as the pdf name But that won't stop user 2 simply typing https://www.mydomain.com/files/user1_invoice.pdf directly in to their browser and viewing the file without my app being involved. Quote Link to comment Share on other sites More sharing options...
Sherzod Posted March 22, 2021 Share Posted March 22, 2021 11 minutes ago, irigsoft said: Something like: 1. Create a pdf named usersession_pdfName.pdf 2. When viewing the url, make sure the user session is the same as the pdf name What if the user login again? It is better for the user to create a unique folder that is stored in the DB. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 16 minutes ago, Sherzod said: What if the user login again? It is better for the user to create a unique folder that is stored in the DB. I am using a temporary folder for my application and in this folder I have different files from different users, if all the links can get these files by url, for me this is a security issue. if user2 can read from this directory, I need to do a server procedure (or mainmodule) that checks if this user has the right to download / open this file, one of my solutions will be my suggestion. When user2 tries to download a file created by user1 in the \ files \ directory, the session manager (or server) must check and block it. How to do it? "It is better for the user to create a unique folder that is stored in the DB." How to create directory in DB ? This pdf files maybe are temporary Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 21 minutes ago, david_navigator said: But that won't stop user 2 simply typing https://www.mydomain.com/files/user1_invoice.pdf directly in to their browser and viewing the file without my app being involved. I'm not sure. If user2 tries to access the pdf file, the session must be opened and the access verification procedure must be performed when the session is opened. I'm using a different folder and trying to get a file from this directory and I can't. Maybe that's the solution Quote Link to comment Share on other sites More sharing options...
david_navigator Posted March 22, 2021 Author Share Posted March 22, 2021 17 minutes ago, Sherzod said: What if the user login again? It is better for the user to create a unique folder that is stored in the DB. but there's still no security. What's to stop User 2 using brute force to guess User 1's folder name ? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 Sherzod, What is the best practice if I have different users and they all need to receive only their own files. A simple example: I have Stand Alone application My app allows users to watch video files. All of these videos are paid. If I have 3 users and user1 has paid for Video1, user2 has paid for video2 and user3 has paid for video3. If everyone can download video1 (2 or 3) from one directory (\ files) by url, that means that all user can download all these 3 video files without paying, right? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 david_navigator, You can apply something simple, when user1 starts to create (or open) pdf, need to add in url own code like "/? F = UjSdR100O" this code is generated for the user when opening the session, so when user2 trying to access the file by url, it must use the same code to get to user1's files. url will be: https://www.mydomain.com/files/user1_invoice.pdf&F = UjSdR100O , and download file procedure will check the f - code Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 david_navigator, there is a problem: all directories are available, even the system directories ! with some instruments on web you will get all files and download it Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 David, You can use TUniServerModule.UniGUIServerModuleHTTPCommand to catch before open file Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 URL: https://youdmain.com:8077/files/user1file.pdf this block url to get files from other directories. if You try to open something like https://youdmain.com:8077/systemdir1/user1file.pdf, You will get error 405 procedure TUniServerModule.UniGUIServerModuleHTTPCommand begin //check if is new session if (ARequestInfo.URI <> '/') and (ARequestInfo.Referer ='') then begin if (POS (ARequestInfo.Host + '/files/',ARequestInfo.Host + ARequestInfo.URI) = 0) then begin Handled := false; AResponseInfo.ResponseNo:=405; AResponseInfo.CloseConnection:=true; //AResponseInfo.ContentText := '<h1>Access denied</h1>'; Handled := true; AResponseInfo.ResponseNo:=405; //save log SaveHTMLLog ('NONE ACCEPTABLE COMMAND' + #9 + 'IP: ' + ARequestInfo.RemoteIP + #9 + 'URI: ' + ARequestInfo.URI + #9 + 'COMMAND: ' + ARequestInfo.Command + #9 + 'ROW COMMAND: ' + ARequestInfo.RawHTTPCommand + #9 + ARequestInfo.RawHeaders.Text + #9 + ARequestInfo.Document ); AResponseInfo.CloseConnection := true; AResponseInfo.CloseSession; exit; end; end; end; Quote Link to comment Share on other sites More sharing options...
mhmda Posted March 22, 2021 Share Posted March 22, 2021 Hi, We don't expose important files and .fr3 (fastreport) to the web, we keep them in folder that doesn't exist in the 'root' of ServerModule and for generating report we create a temp. file for current user using the helper function of the Unigui: ExportFileName := ServerModule.NewCacheFileUrl(False, ExportType, '', '', AUrl, True); This will create a random file with a specific extension then we forward this to FastReport: frxPDFExport.FileName := ExportFileName;//<--- url for the temp file And for displaying the report to the end user you just use the AUrl. Also all attached files that been uploaded by the user are saved the same way in a folder that isn't exposed to the web and when needed we use the same technique above (yes another copy of the same file, and we keep the source file safe). Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 Just add this check for User1 sessionId. 1. Create Directory of user1 : /files/sessionID when User1's session start 2. Generate PDF files of User1 and save them in /files/sessionID 3 Add In function check by sessionID like that if (POS (ARequestInfo.Host + '/files/' + uniSession.SessionId + '/',ARequestInfo.Host + ARequestInfo.URI) = 0) then ..... when User2 try to get files of User1, then function will check sessionID and block User2 to get files of User1. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 7 minutes ago, mhmda said: Hi, We don't expose important files and .fr3 (fastreport) to the web, we keep them in folder that doesn't exist in the 'root' of ServerModule and for generating report we create a temp. file for current user using the helper function of the Unigui: ExportFileName := ServerModule.NewCacheFileUrl(False, ExportType, '', '', AUrl, True); This will create a random file with a specific extension then we forward this to FastReport: frxPDFExport.FileName := ExportFileName;//<--- url for the temp file And for displaying the report to the end user you just use the AUrl. Also all attached files that been uploaded by the user are saved the same way in a folder that isn't exposed to the web and when needed we use the same technique above (yes another copy of the same file, and we keep the source file safe). Hi, how protect system directories. I try to get files from system directories and dont have problems with that. I know what is dirName, what are files in dir and just type URL and get them, no problem How You protect All system directories in Stand Alone application ? At this point If User2 enters the URL of ExportFileName, then User2 will receive the file? Quote Link to comment Share on other sites More sharing options...
mhmda Posted March 22, 2021 Share Posted March 22, 2021 hi Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 Just now, mhmda said: From the web you can access this folder: "root\files" and sub-folders, If you put you important files in other folders: If serverRoot is empty then the exposed folder is "files" "root" and "files" are directories where you put you .exe file. Dir "systemfiles" can't be accessed from the web !! Thanks. Can You tell me for this: At this point If User2 enters the URL of ExportFileName, then User2 will receive the file? Quote Link to comment Share on other sites More sharing options...
mhmda Posted March 22, 2021 Share Posted March 22, 2021 Short answer is: yes, but the helper function "ServerModule.NewCacheFileUrl" creates a random file name that will be no chance that other user could know. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 I use my own directories for system files, and they are in root directory (where MyApplication.exe is), Is that error ? Quote Link to comment Share on other sites More sharing options...
mhmda Posted March 22, 2021 Share Posted March 22, 2021 Beside that didn't you think about digitally sign your pdf files as we did and this way no one can edit your pdf files. Quote Link to comment Share on other sites More sharing options...
mhmda Posted March 22, 2021 Share Posted March 22, 2021 Just now, irigsoft said: I use my own directories for system files, and they are in root directory (where MyApplication.exe is), Is that error ? If system files exists in a folder under 'root' then this is not good 🙂 you have to move them out of this directory. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 Just now, mhmda said: If system files exists in a folder under 'root' then this is not good 🙂 you have to move them out of this directory. thanks Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 If I change Server root: root to mynewroot, what problems can wait ? Quote Link to comment Share on other sites More sharing options...
mhmda Posted March 22, 2021 Share Posted March 22, 2021 Maybe a video tutorial showing how you can digitally sign your pdf (with your logo) is needed 🙂 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Share Posted March 22, 2021 The problem is that User2 receives a file from User1 In my example: 1. I have 3 users and they pay to receive Video1, Video2, Video3 files 2. If I send url1 to user1 to video1, so user2 and user3 will not pay for this file, the url is the same How to protect Video1 to download user2 and user3 without paying Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.