perl-asp mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thanos Chatziathanassiou <tcha...@arx.gr>
Subject Re: Security implemention question
Date Fri, 03 Jan 2003 10:45:59 GMT
Hi Richard,

Happy new year to the list, BTW.

richard@crosswired.co.uk wrote:

>Can anyone either point out any major problems with this approach, or
>alternatively (preferably), suggest a better alternative ?
>In case it makes any difference to peoples ideas/views, I am not using Apache
>for access control.  Users authenticate against a database, then on each page
>they visit, their user level (taken from the session object) is checked
>against the access level required for that page.
>
Since You already have the users level is the Session object, you can 
have an asp handle the downloads, like this:
-  check if the user has the required level.
-  set $Response->{ContentType} to whatever it is you want
-  open the (out of the webroot) file and while reading it, output to 
the client.

Now with this approach you will avoid the constant back and forth 
copying of files and
the remote possibility that a user can guess the filename, but there are 
some drawbacks:
- the ``heavy'' apache mod_perl process will be tied up for the duration 
of the download, so depending on your setup, the size of the download 
and the speed of the clients you might need more httpds running. The 
mod_perl guide can help you more on this - rather large - subject 
(http://perl.apache.org/docs/1.0/guide/index.html)

I really don't know if the above is a better solution, just a thought.

Regards,
Thanos Chatziathanassiou



---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org


Mime
View raw message