Google Answers Logo
View Question
 
Q: Prevent a file download ( No Answer,   6 Comments )
Question  
Subject: Prevent a file download
Category: Computers > Internet
Asked by: nickman5-ga
List Price: $10.00
Posted: 23 Oct 2005 11:22 PDT
Expires: 10 Nov 2005 19:41 PST
Question ID: 583879
I have a webserver running off of my computer.  With this, I have a
javascript file that handles the login information for my website. 
This javascript file has all the usernames and passwords for the site,
however, they are not encrypted.  If someone was to look at the source
code for the webpage, they will see where the javascript file is
located, and be able to download it and view.  Is there a way that I
can prevent a person from downloading the file using .htaccess, while
still allowing the web page to access it.  If not, is there a place
that I can place the javascript file where a person will not be able
to get to it.
Answer  
There is no answer at this time.

Comments  
Subject: Re: Prevent a file download
From: adamluz-ga on 24 Oct 2005 18:29 PDT
 
Javascript has the same access as a user searching the web. You may
want to try and encrypt this area with .htaccess or just use the
standard method php.

If you server supports php here is a simple script to prevent access

<?
if(($username == "whatever1") && ($password == "whatever1)) || 
  (($username == "whatever2") && ($password == "whatever2)) ||
  (($username == "whatever3") && ($password == "whatever3)) ||
  (($username == "whatever4") && ($password == "whatever4)) ||
{
include("filetodownload.exe"); 
// use above include or include the html with the download link
// ie. include("download.html");
} else {
echo("Your username and or password did not march");
?>  

This file must end in php. Have more questions? let me know
Subject: Re: Prevent a file download
From: nickman5-ga on 25 Oct 2005 13:12 PDT
 
I still don't think that that will solve my problem.  For example, the
code I have on the web page is :
<head>
<script src="scripts/login.js"></script> 
</head>
All the username and passwords that will be accepted are in the file
login.js  Now, if someone looks at the source code, they will see that
bit of code and be able to point thier browser to
http://myserver/scripts/login.js and download the file.  This is what
I want to try to prevent.
I don't really know php, but isn't it placed within the html document?
 That would mean that if I were to use this script, my problem would
still be there.  Please let me know if I am misunderstanding the
script.
Thanks
Subject: Re: Prevent a file download
From: andrew2006-ga on 28 Oct 2005 23:39 PDT
 
Hi,

There are several possible ways to "encrypt" your code.
1) Code Obfuscation: you can use some shared software such as Jammer
or JMyth to make your code unreadable.

2) You can use Microsoft Windows Script Engine Version 5.0 to protect your code.

3)Use the Javascript function escape() to encrypt your code.
Subject: Re: Prevent a file download
From: dotcommakers-ga on 31 Oct 2005 04:17 PST
 
hello sir

As my personal thinking.. you should start to using php and mysql [if
they are supported]   there are some freely available scripts .. which
you can use for personal use.

right click protect.. or popups are not solution for you...btw. which
local server you are using?

regards
Subject: Re: Prevent a file download
From: nickman5-ga on 31 Oct 2005 07:16 PST
 
I am using Apache
Subject: Re: Prevent a file download
From: marcbb-ga on 10 Nov 2005 15:56 PST
 
Your problem is that you're using client-side logic to police access
to your downloaded file. You are trusting the remote user to properly
use the javascript code to authenticate their access and not download
the file if they're not allowed to.

On the web, this is a big no-no. You NEVER EVER trust the remote user
to be friendly. You have to assume they're malicious and will do
anything they can to get where they shouldn't be.

As such, if you truly want to hide that file from those who are not
allowed to see it, you'll have to ditch this client-side
authentication and resort to server-side methods. Previous comments
suggested using PHP, which is one way of going about it. As you
mentioned using Apache as your server, you can also use the following
method:

1) Place your private file(s) into a sub-directory somewhere inside
your site's directory on the server. The name/location does not
matter, as long as it's some place that can be remotely viewed
2) Configure Apache to require a valid login on that directory.
Details are available at:
     http://httpd.apache.org/docs/1.3/mod/core.html#directory
and
     http://httpd.apache.org/docs/1.3/mod/core.html#require

In this method, you will have Apache doing the authentication of the
remote user's login credentials. Apache will refer to a .htpasswd file
(standard name) which will contain the username/password combinations
of all the valid logins. If you place this .htpasswd file somewhere
*outside* of your web-accessible directories, the remote user will not
be able to download the file and view all your logins.

NOTE: While they will not be able to view all the logins, nothing will
prevent them from repeatedly hammering your server and trying to guess
a valid login combo. Detecting and preventing this situation is beyond
the scope of this question, however.

NOTE #2: If you want to have multiple files available via this method,
and only make a certain subset of the files available to any
particular user, turn off directory browsing
(http://httpd.apache.org/docs/1.3/mod/core.html#options) on the
directory in which you're placing the files. This way they will not be
able to retrieve a list of all the files available.



More complicated solutions are available, ie: via CGI scripts, PHP,
Perl, etc... You could store the login information in a database, or
on another machine, etc... But I believe the method I present above
will be sufficient for your needs.

hope it helps
marc.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy