Re: Controlling access to pdf/doc files

Do not allow direct access to the file itself. Create the file 
dynamically, or read it from a location outside the web root, via a 
servlet/app that checks the validity of the session.

It is not difficult to supply headers to indicate the 
content-disposition, which tells the browser to try to save the file, 
and can even provide a useful file name, rather than the name of the 
servlet.

Rogan

Sangita Pakala wrote:

> Hi,
>
> Could I have the list's thoughts on an answer we are preparing for the
> next version of the AppSec FAQ at OWASP.
>  
> Question - How can I ensure my application allows only authenticated
> users access to files like *.pdf or *.doc?
>
> Issue - Suppose a web site, say a bank site, displays the user's account
> statement as a .doc file. What if someone tries to access this file by
> typing its full URL into the address bar? How does the application check
> whether the user trying to access the file is the authenticated user and
> that the session has not expired? 
>
> Solution - One solution is to have a random number for the name of the
> file or the folder containing it. This random number could even be
> related to the session token of the user. This file/folder should then
> be deleted as soon as the user's session has expired.
>
> Are there better methods available to address this issue? Can the web
> server run a server side program to verify the session token before
> serving the final GET request for the file? 
>
>
> Thanks,
> Sangita.
>
> OWASP AppSec FAQ
> http://www.owasp.org/documentation/appsecfaq
>
> Paladion Networks
> http://www.paladion.net

--
"Using encryption on the Internet is the equivalent of arranging an
armored car to deliver credit card information from someone living
in a cardboard box to someone living on a park bench."
- Gene Spafford