Limit access to upload page functionality

jacob · November 21st, 2005, 07:17 PM

Well, here is a problem...

In the web application, which I am doing, logged on users can upload files using a Java applet, which is embedded in the .aspx page. The applet posts an HTTP request to an .aspx page on the same server as the logged in user is.

I am trying to figure out a way to prevent that non-authorized people do not upload files as well. Since the user is already logged on I was wondering if one could pass the session ID to the applet and let the applet include it in the HTTP request, and then validate before the uploading is happens (server-side) that the session ID posted exists (user logged on).

The problem is not to pass the session ID back and forth. The problem is to validate that the session ID exists. Is it possible to make such inquiry? I guess it would be a security risk, right?

If this will not work, how can I provide the wanted functionality?

Thanks, Jacob.

jbenson001 · November 23rd, 2005, 02:42 PM

You can use Forms Authentication for your project. Or you can do your own validation on the page. In the Page_Load, do a check, if the user is not authorized to upload, redirect to an error page, stating "You do not have rights to upload" Something like that should work.

jacob · November 23rd, 2005, 03:02 PM

Yes, but that would require that the applet users to enter username and password in the applet itself again, eventhough they are already logged on to the web application, and I would like a solution without this; the user is already logged on to the .aspx page/application.

The .aspx page, which is handling the upload is merely a standalone page, which only process an upload request and nothing more. Something like this...

Code:

    public void Page_Load(Object oSender, EventArgs eArg)
    {
        int uploaded = 0;
        this.Response.Clear();
        this.Response.BufferOutput = true;
        this.Response.ContentType = "text/ascii";
        try
        {
            ...

            HttpPostedFile file;
            foreach(string f in this.Request.Files.AllKeys)
            {
                try
                {
                    file = this.Request.Files[f];
                    file.SaveAs(path + ((path.EndsWith(@"\"))? "" : @"\")
                            + System.IO.Path.GetFileName(file.FileName));
                        this.Response.Write(System.IO.Path.GetFileName(file.FileName) + " (uploaded)\n");
                        uploaded++;
                }
                catch(Exception e)
                {
                    this.Response.Write("- File upload of '" + f + "' failed. " + e.Message);
                }
            }
        }
        catch(Exception e)
        {
            this.Response.Write("Exception: " + e.Message + "\n");
        }
        this.Response.Write(uploaded + " files were succesfully uploaded.\n");
        this.Response.End();
    }

Since it is an applet, the user do not leave the page in which the applet resides. The upload is then another session... unfortunately. I would like it to be the same. All the login stuff is done for the web application but I have been forced to make a Java applet in order to select multiple files for upload, and this solution unfortunately introduce these other authorization problems.

Jacob.