Cookie / File Attachments

hcl-bot · February 3, 2005, 11:53am

I have a simple web application that uses cookie authenication (not domino) to hide data / load computed subforms, etc. It works great, but now I have a problem. The user wants to protect files, and I was not sure if I could do this. If I go to the page, I can hide the attachment. If they figure out the urlhttp://server/db/0/doc_unid/$File/attachment ,the attachment loads.

Any suggestions on how I can disable the attachment download based off the cookie being set?

hcl-bot · February 3, 2005, 12:02pm

Subject: Cookie / File Attachments.

Unless you can move the attachment to a different document and use a Readers field for protection (which would be impossible based on your authentication description), then you can’t protect the attachments. The question then becomes “how are unauthorised users getting the attachment names?” Perhaps not typing the filename several times in the body of the web page would be a start, and using obfuscated filenames (or filenames with a random bit of yuck appended) would keep that down to a minimum. That, of course, requires that your client/user pay attention when creating pages.

If the user wants real security, then paying for it mightn’t be such a bad idea.

hcl-bot · February 3, 2005, 12:33pm

Subject: RE: Cookie / File Attachments.

Cost isn’t the issue, flexiblity is the issue. We / the developers / users (or anyone else but the admins) are not allowed to add users to the NABs. This application has about 3,000 users, and what documents they can see depends on fields in their profiles. I will explore the response method.

Thanks.

hcl-bot · February 3, 2005, 12:42pm

Subject: RE: Cookie / File Attachments.

Chris, try this: tell your admins that you need to give Anonymous users at least Editor access to applications WITH access to agents that will run with unrestricted permissions (file IO). They may decide, at that point, to allow you to properly register external users, perhaps even in a segregated environment, which is what you actually require here. We’re not talking about creating users in your primary NAB, or even in your primary domain.

Responses can only help so much – any user who can get hold of the URL to an attachment will still have access if you can’t use a readers field to keep them out of the document.

hcl-bot · February 3, 2005, 3:22pm

Subject: RE: Cookie / File Attachments.

I have been down that road, it is not worth the fight. I think the response document solution will work for what I need to do. If not, back to the drawing board.

Thanks !