我们有一个网站(例如abc.com),它是用经典ASP构建的,并在IIS 6.0上托管。我们在IIS 6.0中有一个内容文件夹,它由PDF或XLS等静态文件组成。我们最近了解到,在各种搜索引擎中,我们网站(www.abc.com/content/xyz.PDF)与PDF / xls的直接链接将显示在搜索结果中,任何用户都可以直接访问这些文件。由于这些文件只能由登录用户访问,因此阻止匿名用户直接访问这些文件的方法是什么。我们使用cookie和数据库来验证有效用户。我们迄今采取的行动是: -
1)我们网站中包含的robots.txt和各种网站管理员工具阻止了在搜索结果中列出直接链接,但我们认为这不是最佳解决方案。
2)在我们的网站上有各种功能,通过这些功能,可以使用PDF的直接访问链接向用户显示。我们已经停止了没有显示用户的直接URL路径。
问题: - 由于我们使用的是IIS6.0和经典的ASP,有没有办法在IIS级别实现任何东西,以防止直接访问PDF / XLS文件。比如,如果用户键入'www.abc.com/temp/xyz.PDF'或者.pdf / .xls组成的url应该首先被我们的asp或任何其他页面拦截以进行身份验证(检查用户是否已记录)在或不)并基于它应该允许打开。
我们公司有一个类似类型的网站,除了上传文件的用户外,任何人都无法访问大量文件。我们解决了这个问题:
<a href='downloadFile.asp?fileID=2341'>appManual.pdf</a>
的链接,而不是直接链接到该文件'download-file-code'的示例
dim filePath
'Is user logged on?
if Session("userID") > 0 then
'Good, the user is logged on.
'See if we can find the file the user is requesting
filePath = GetFilePAthFromDatabaseByID(request("fileID"))
if filePath != "" AND DoFileExists(filePath) then
'We found the file, send it to clients browser
SendFileToClient(filePath)
else
response.write "Sorry, we can't find the file with ID = " & request("fileID")
end if
else
response.write "Sorry, you are not allowed to download files unless you are logged on"
end if
Function DoFileExists(filePath)
dim fso
Set fso = Server.CreateObject("Scripting.FileSystemObject")
if fso.FileExists(filePath) then
'return value
DoFileExists = true
else
'return value
DoFileExists = false
end if
End Function
Function SendFileToClient(strFile,strFileEnd)
dim objText, strContentDisp, strFilename, strm, fso, fsofile, intFilelength, icount, oldScriptTimeout
strFilename = strFile
'Important that buffer is set to false to be able to handle big documents extending the buffer size
'the binary documents is sent in chunks to the client.......
'Leaving buffer to true will cut-off the binary stream at "buffer full" and the document is not readable by the client.
Response.Buffer = False
Set strm = Server.CreateObject("ADODB.Stream")
strm.Open
strm.Type = 1
Set fso = Server.CreateObject("Scripting.FileSystemObject")
if not fso.FileExists(strFilename) then
Response.Write("The corresponding file does not exist")
Response.End
end if
Set fsofile = fso.GetFile(strFilename)
intFilelength = fsofile.size
strm.LoadFromFile(strFilename)
'All the known filetypes below will be sent to the browser as a known MIME type, this will embed and open the documents
'directly in the browser.
'If some of the document types are to be opened in an full application instead of a browser embedded application, just comment out
'the case section containing the extension type and the file will be downloaded as an "application/octet-stream"
'Default Content-Disposition
strContentDisp = "filename=" & fsofile.name
select case ucase(strFileEnd)
Case "TIF", "TIFF"
Response.ContentType = "image/tiff"
Case "GIF"
Response.ContentType = "image/gif"
Case "JPEG", "JPG"
Response.ContentType = "image/jpeg"
Case "PNG"
Response.ContentType = "image/png"
Case "BMP"
Response.ContentType = "image/bmp"
Case "PDF"
Response.ContentType = "application/pdf"
Case "XLS"
Response.ContentType = "application/vnd.ms-excel"
Case "DOC"
Response.ContentType = "application/msword"
Case "TXT"
Response.ContentType = "text/plain"
Case "HTM", "HTML"
Response.ContentType = "text/html"
Case "XML"
Response.ContentType = "text/xml"
Case Else
strContentDisp = "attachment; filename=" & fsofile.name
Response.ContentType = "application/octet-stream"
Response.CharSet = "UTF-8"
End Select
Response.AddHeader "Content-Disposition", strContentDisp
'Remove setting of content-length when using IIS 7.5 since it does not work there
Response.AddHeader "Content-Length", intFilelength
'Set the Timeout to a large value when downloading big documents
oldScriptTimeout = Server.ScriptTimeout
Server.ScriptTimeout = 30000
For icount = 1 To intFilelength \ chunk
If Not Response.IsClientConnected Then Exit For
Response.BinaryWrite strm.Read(chunk)
Next
If intFilelength Mod chunk > 0 Then
If Response.IsClientConnected Then
Response.BinaryWrite strm.Read(intFilelength Mod chunk)
End If
End If
Response.Flush
Response.Buffer = True
'Reset the original timeout
Server.ScriptTimeout = oldScriptTimeout
strm.Close
Set strm = Nothing
set fsofile = Nothing
End Function
自定义404页面的示例
<%
dim downloadURL, url, urlPattern, arrTmpUrl, arrTmp
dim filename, fileID
' ** Base path for downloads (new)
downloadURL = "http://www.yourDomain.com/downloadFile.asp?fileID="
' ** Fetch QUERY_STRING (this tells us which page the user tried to access)
url = Request.ServerVariables("QUERY_STRING")
' ** URL pattern (did the user try to download a content file?)
urlPattern = "^(http://|http://www.|www.)yourDomain.(se|com):80/(ContentDir|AltContentDir)/[a-zA-Z0-9_åäöÅÄÖ .]{2,100}/?$"
arrTmpUrl = split(url,"404;")
if 1 = (UBound(arrTmpUrl) - LBound(arrTmpUrl)) then
if RegExTest(arrTmpUrl(UBound(arrTmpUrl)), urlPattern) Then
arrTmp = split(arrTmpUrl(UBound(arrTmpUrl)),"/")
filename = trim(arrTmp(UBound(arrTmp)))
'See if we can find the file name in database
fileID = GetFileIDFromDatabaseByName(filename)
if fileID > 0 then
downloadURL = downloadURL & Cstr(fileID)
'Redirect user to proper download link
response.redirect downloadURL
else
'We did not find a matching file
'Show standard 404 page
ShowStd404Page("We did not find a matching file")
end if
else
'The URL did not match the pattern
'Show standard 404 page
ShowStd404Page("no match")
End if
else
'The queryString did not look like as expected
'Show standard 404 page
ShowStd404Page("unexpected queryString")
End if
%>
David代码属于“intFilelength \ chunk”:chunk为0.插入声明:
Dim chunck
chunck = 2^13 '8K
许多其他相关问题也告诉我们:
Call Response.AddHeader("Cache-Control", "private, max-age=1")