View Full Version : accessing a pasword protected directory

patrick t
11-10-2004, 08:39 PM
When accessing a file (expl: test.pdf) that is in a password protected directory (expl:pwdir) you can use a script like this after the <head> tag :
<meta http-equiv="refresh" content="0;URL=http://username:password@www.domainname.com/pwdir/test.pdf">

Is there a javascript equivalent for this? Because the problem is that the password becomes visible in the url and the status bar when it is carried out.

Thank you

Roy Sinclair
11-10-2004, 10:19 PM
Actually you must not have read the documentation on what's happening with Windows XP SP2 because that particular form of userid and password embedded into a url is no longer valid as of SP2. The change was made because it wasn't supported by non-MS browsers, spammers were using it heavily and the standards for the protocol actually don't allow it as valid either.

In short, while it may work for now you're going to find it won't work much longer anyway. Possibly it's good you came here before you found out the hard way. Perhaps the first question that should be asked is why is that particular file protected using a userid and password when it could be made readable by the account running your web server and then it wouldn't require the user id and password in the first place. If you can change the permissions on the file to eliminate the need for the userid and password then you've fixed the problem.

patrick t
11-11-2004, 12:33 AM
the password protected directory is needed to store fax (.tif) files that can be viewed by members only. the members know their personnal password but not the password of the directory.

11-11-2004, 12:55 AM
use a server-side method.. do not use JS for this since that's not what JS is for.
in PHP:

// We'll be outputting a PDF
header('Content-type: application/pdf');

// It will be called downloaded.pdf
header('Content-Disposition: attachment; filename="downloaded.pdf"');

// The PDF source is in original.pdf

patrick t
11-11-2004, 09:21 AM
of course a server side method would be better but the website is directed by a content management system that is written in asp and all the data (except the .pdf files) are in a mysql database. The script (that accesses the pasword protected directory) will be in the mysql database with the other data. That's why only client side programming can be used,(asp code is simply displayed on the screen, and not executed). The goal is to make it as secure as it can be, not perfect.

Roy Sinclair
11-12-2004, 04:38 PM
There's really no way to reliably hide that user id and password combination if you pass it to the client and with the pending discontinuation of that form of passing the user id and password you're going to be left with users being prompted for a user id and password regardless. Any solution for this will have to be made on the server.