I have a large number of files I want to make available for download, but ONLY after the visitor has successfully filled in a form. All the files are named in a similar way (ie. file_01.zip, file_02.zip) and so anyone who downloaded one file would not have to do much to then proceed to download all the files on the site by guessing the names of the files.

How can I prevent this from happening?

I would ideally like to stick all the zip files in a protected directory, but then the browser will not be able to access them to download. Can someone come up with a suggestion as to how I can protect my files? I am using a Win2k web server and ASP scripts with javascript.

Thanks in advance.

Russell

Rather than give direct access to the directory with the protected files place the files in a directory which cannot be accessed via the web but which can be reached via the File System Object under a utility account you set up on the server.

Your script that accepts the form should set a session variable, you can then write another script which performs the actual downloads, that script would first check that the session variable is set and then would use the File System Object to read the file and send it to the user.

The following untested code should get you started:


<% @ LANGUAGE=VBScript%>
<% Option Explicit%>
<%
Dim fso
Dim fo
Dim BinData
Response.Buffer = TRUE
Response.ContentType = "application/zip"
set fso = CreateObject("Scripting.FileSystemObject")
set fo = fso.OpenTextFile(Request.QueryString("FileName"),ForReading)
BinData = fo.ReadAll
fo.Close
set fo = nothing
Set fso = nothing
Response.BinaryWrite BinData
Response.End
%>


You will need to check for your session variable and should also make sure the file name passed to you doesn't contain any relative paths so you don't create an open invite to hackers. In fact that's why you should run this script under a utility account, you can lock that utility account down to where it can't log on locally or access anything but the minimum needed to send the files.

read this article

http://www.4guysfromrolla.com/webtech/faq/FileSystemObject/faq5.shtml