I want to create a section of my website that will be password protected.

I have already setup the database part of the site. When users login, 

there username and passwords are checked in an Access DB. That works fine, 

but when a user pastes a url in a new browser (for example 

www.test.com/secret/123.pdf ) the pdf file will open without requesting 

authentication. If we remove anonymous access to those pdf files, we get 

prompted by a NT username/password box. Since the user shouldnt have a 

username on the OS, i get an error 401.2 stating that "This error 

indicates that the credentials passed to the server do not match the 

credentials required to log on to the server. This is usually caused by 

not sending the proper WWW-Authenticate header field." How do i pass the 

authentication headers using ASP? Is there an easier way to secure those 

files within that section of my site. I dont think creating usernames and 

passwords for each user under NT would be a good idea since there will be 

over 500 users for that section. Any help would be greatly appreciated.



thanks,



steve

This is not something I've had to tackle personally, but it intrigued me 

so I did a bit of digging.  It seems that there is no easy way to do this 

in IIS without creating loads of NT Users.  As you know the options are 

Anonymous, Basic or NT challenge/response authentication.  Well anon is 

obviously out - as is NT c/r since its only supported by microsoft, so 

that only leaves Basic.  But from what I've read Basic is not secure at 

all since passwords are transmitted with only minimal encoding so are easy 

to crack.

So what's the solution?

Well, there seems to be 2 methods

1. use a third-party component e.g. flicks.com Authentix (I've never used 

this so don't take it as a recommendation - just one I came across)

2. roll-your-own: this seems to involve creating user db and custom logon 

page, then storing whether user is logged-in (e.g. in Session) and 

checking this at the top of each ASP page (using include file).  This is 

simpler and cheaper than 3rd party but the obvious drawback is that each 

page being served must be ASP so that it can check if user is logged in.  

I guess for you this would mean serving up your PDFs via an ASP page so 

the URL to PDF is never disclosed - and probably putting your PDFs 

somewhere which is not accessible directly from the web. 

(4guysfromrolla.com has examples of this approach)



HTH - let me know how you get on.

Phil

> I want to create a section of my website that will be password protected.

> I have already setup the database part of the site. When users login, 

> there username and passwords are checked in an Access DB. That works 

fine, 

> but when a user pastes a url in a new browser (for example 

> www.test.com/secret/123.pdf ) the pdf file will open without requesting 

> authentication. If we remove anonymous access to those pdf files, we get 

> prompted by a NT username/password box. Since the user shouldnt have a 

> username on the OS, i get an error 401.2 stating that "This error 

> indicates that the credentials passed to the server do not match the 

> credentials required to log on to the server. This is usually caused by 

> not sending the proper WWW-Authenticate header field." How do i pass the 

> authentication headers using ASP? Is there an easier way to secure those 

> files within that section of my site. I dont think creating usernames 

and 

> passwords for each user under NT would be a good idea since there will 

be 

> over 500 users for that section. Any help would be greatly appreciated.

> 

> thanks,

> 

> steve

The problem with using the dtabase approach is that it is even less secure

than basic authentication, as the username and password are just transmitted

with a form.  Some unscrupulous websites even put it into the querystring!



So I would say just make your life easy and use basic authentication.



-----Original Message-----

From: phil griffiths [mailto:pgtips@m...]

Sent: 19 September 2001 13:10

To: ASP Web HowTo

Subject: [asp_web_howto] Re: securing site/files with asp





This is not something I've had to tackle personally, but it intrigued me 

so I did a bit of digging.  It seems that there is no easy way to do this 

in IIS without creating loads of NT Users.  As you know the options are 

Anonymous, Basic or NT challenge/response authentication.  Well anon is 

obviously out - as is NT c/r since its only supported by microsoft, so 

that only leaves Basic.  But from what I've read Basic is not secure at 

all since passwords are transmitted with only minimal encoding so are easy 

to crack.

So what's the solution?

Well, there seems to be 2 methods

1. use a third-party component e.g. flicks.com Authentix (I've never used 

this so don't take it as a recommendation - just one I came across)

2. roll-your-own: this seems to involve creating user db and custom logon 

page, then storing whether user is logged-in (e.g. in Session) and 

checking this at the top of each ASP page (using include file).  This is 

simpler and cheaper than 3rd party but the obvious drawback is that each 

page being served must be ASP so that it can check if user is logged in.  

I guess for you this would mean serving up your PDFs via an ASP page so 

the URL to PDF is never disclosed - and probably putting your PDFs 

somewhere which is not accessible directly from the web. 

(4guysfromrolla.com has examples of this approach)



HTH - let me know how you get on.

Phil

> I want to create a section of my website that will be password protected.

> I have already setup the database part of the site. When users login, 

> there username and passwords are checked in an Access DB. That works 

fine, 

> but when a user pastes a url in a new browser (for example 

> www.test.com/secret/123.pdf ) the pdf file will open without requesting 

> authentication. If we remove anonymous access to those pdf files, we get 

> prompted by a NT username/password box. Since the user shouldnt have a 

> username on the OS, i get an error 401.2 stating that "This error 

> indicates that the credentials passed to the server do not match the 

> credentials required to log on to the server. This is usually caused by 

> not sending the proper WWW-Authenticate header field." How do i pass the 

> authentication headers using ASP? Is there an easier way to secure those 

> files within that section of my site. I dont think creating usernames 

and 

> passwords for each user under NT would be a good idea since there will 

be 

> over 500 users for that section. Any help would be greatly appreciated.

> 

> thanks,

> 

> steve

Steve - I never bothered reading your original post, so Ignore my last one



If you are keeping your usernames and passwords in a database already, then

that is your own authentication method and nothing to do with windows NT.

You need to keep anonymous access on, otherwise the users will not be able

to enter your site at all.  In the ASP that authenticates the user, you need

to save the username in a session variable.  Then in every page of your

application, you need to check that the session variable contains a value,

and if not redirect them to the login page.



-----Original Message-----

From: phil griffiths [mailto:pgtips@m...]

Sent: 19 September 2001 13:10

To: ASP Web HowTo

Subject: [asp_web_howto] Re: securing site/files with asp





This is not something I've had to tackle personally, but it intrigued me 

so I did a bit of digging.  It seems that there is no easy way to do this 

in IIS without creating loads of NT Users.  As you know the options are 

Anonymous, Basic or NT challenge/response authentication.  Well anon is 

obviously out - as is NT c/r since its only supported by microsoft, so 

that only leaves Basic.  But from what I've read Basic is not secure at 

all since passwords are transmitted with only minimal encoding so are easy 

to crack.

So what's the solution?

Well, there seems to be 2 methods

1. use a third-party component e.g. flicks.com Authentix (I've never used 

this so don't take it as a recommendation - just one I came across)

2. roll-your-own: this seems to involve creating user db and custom logon 

page, then storing whether user is logged-in (e.g. in Session) and 

checking this at the top of each ASP page (using include file).  This is 

simpler and cheaper than 3rd party but the obvious drawback is that each 

page being served must be ASP so that it can check if user is logged in.  

I guess for you this would mean serving up your PDFs via an ASP page so 

the URL to PDF is never disclosed - and probably putting your PDFs 

somewhere which is not accessible directly from the web. 

(4guysfromrolla.com has examples of this approach)



HTH - let me know how you get on.

Phil

> I want to create a section of my website that will be password protected.

> I have already setup the database part of the site. When users login, 

> there username and passwords are checked in an Access DB. That works 

fine, 

> but when a user pastes a url in a new browser (for example 

> www.test.com/secret/123.pdf ) the pdf file will open without requesting 

> authentication. If we remove anonymous access to those pdf files, we get 

> prompted by a NT username/password box. Since the user shouldnt have a 

> username on the OS, i get an error 401.2 stating that "This error 

> indicates that the credentials passed to the server do not match the 

> credentials required to log on to the server. This is usually caused by 

> not sending the proper WWW-Authenticate header field." How do i pass the 

> authentication headers using ASP? Is there an easier way to secure those 

> files within that section of my site. I dont think creating usernames 

and 

> passwords for each user under NT would be a good idea since there will 

be 

> over 500 users for that section. Any help would be greatly appreciated.

> 

> thanks,

> 

> steve

You could use the DB way and build in some function that encript the

Username and Password before sending it, I have been using that lately when

I have those High security/No $$$ sites. This artical might help

http://www.4guysfromrolla.com/webtech/010100-1.shtml



Tim Morford



-----Original Message-----

From: phil griffiths [mailto:pgtips@m...]

Sent: Wednesday, September 19, 2001 12:10 PM

To: ASP Web HowTo

Subject: [asp_web_howto] Re: securing site/files with asp



Well, there seems to be 2 methods

1. use a third-party component e.g. flicks.com Authentix (I've never used

this so don't take it as a recommendation - just one I came across)

2. roll-your-own: this seems to involve creating user db and custom logon

page, then storing whether user is logged-in (e.g. in Session) and

checking this at the top of each ASP page (using include file).  This is

simpler and cheaper than 3rd party but the obvious drawback is that each

page being served must be ASP so that it can check if user is logged in.

I guess for you this would mean serving up your PDFs via an ASP page so

the URL to PDF is never disclosed - and probably putting your PDFs

somewhere which is not accessible directly from the web.

(4guysfromrolla.com has examples of this approach)



HTH - let me know how you get on.

Phil

The encryption method in this article wouldn't be any good for an HTML 

password entry form because the method uses a symmetric key to encrypt the 

data before transmitted.  The basic problem with these encryption methods 

is how to transmit the key. If you use this method the browser has to 

encrypt the userid and pwd using a key - but the only way to do that at 

the browser end is javascript (if you want it to work for all browsers) 

and so the key would be easily available by reading the javascript.



I guess this thread has turned into - how do you secure userids and 

passwords?  and we all know the answer is SSL.



Steve, how do you transmit your userids and passwords at the moment?



> You could use the DB way and build in some function that encript the

> Username and Password before sending it, I have been using that lately 

when

> I have those High security/No $$$ sites. This artical might help

> http://www.4guysfromrolla.com/webtech/010100-1.shtml

> 

> Tim Morford

> 

> -----Original Message-----

> From: phil griffiths [mailto:pgtips@m...]

> Sent: Wednesday, September 19, 2001 12:10 PM

> To: ASP Web HowTo

> Subject: [asp_web_howto] Re: securing site/files with asp

> 

> Well, there seems to be 2 methods

> 1. use a third-party component e.g. flicks.com Authentix (I've never used

> this so don't take it as a recommendation - just one I came across)

> 2. roll-your-own: this seems to involve creating user db and custom logon

> page, then storing whether user is logged-in (e.g. in Session) and

> checking this at the top of each ASP page (using include file).  This is

> simpler and cheaper than 3rd party but the obvious drawback is that each

> page being served must be ASP so that it can check if user is logged in.

> I guess for you this would mean serving up your PDFs via an ASP page so

> the URL to PDF is never disclosed - and probably putting your PDFs

> somewhere which is not accessible directly from the web.

> (4guysfromrolla.com has examples of this approach)

> 

> HTH - let me know how you get on.

> Phil