Secure Excel Files with Forms Authentication Only Works Once

I have been stuck on this problem for a couple of days now and can't seem to find anyone with the same problem.  I have a secure directory that has Excel files that I want only certain people to have access to.  Because Forms authentication only secures .NET files I added the .xls File Extension in my App Mappings to the aspnet_isapi.dll in iis.  This seemed to work because my login page properly displayed when I tried to access one of the Excel files.  However, I noticed that as long as the file is stored in my Temporary Internet  Files,  I am not required to login again even though my Ticket expires after 10 minutes.  I even tried rebooting the computer but it still allows access to the file until it is removed from the Temporary Internet File folder.  Has anyone else come across this problem or do I just need to do something else besides adding the app mappings in order to make it behave like my .aspx files do? 

Thanks,
Brian Nicoloff
0
nicolobj
9/17/2003 3:19:52 PM
asp.net.security 27051 articles. 1 followers. Follow

2 Replies
919 Views

Similar Articles

[PageSpeed] 46

Hi Brian,

It sounds like IE is loading the file from the cache (Temporary Internet Folder), and thats why you are getting it. To make sure, download it, let the ticket expire, and modify the version on the server and try to open the file again. When you do, make sure that one that IE opens isn't the changed one. From what I know of IE's behaviour, its expecting a file download (the XLS file), and since its already in the cache, it doesn't re-download it for you, it just opens it again.
One work around for this would be to enable content expiry in INETMGR (under HTTP Headers).
HTH,
PEte
This posting is provided "AS IS" with no warranties, and confers no rights.
0
PeteL
9/17/2003 8:57:49 PM
Hi Pete.  Thanks for the advice.  This solution works almost perfectly in that the temporary file will be removed when the browser is closed but it remains in the Temporary Internet Folder for as long as Internet Explorer is opened.  You also have to make sure that the Empty Temporary Internet Files when Browser is closed is selected in the Advanced tab on the clients Browser.  I still can't find a way to make the .xls file behave as the .aspx files do but this work around will have to do I guess.  Thanks for your help.

Brian
0
nicolobj
9/18/2003 5:43:57 PM
Reply:

Similar Artilces:

form security against security
i have a form in my website which is to be filled by user and that form stores in database(sql server 2005). but someone told me that anyone can run script  in textboxes in that form and can damage database, so how to avoid such security lack.  it is common practice to use parameterized sql statements or stored procs to insure you are protected from sql injections attacks. if you concatenate user input directly into a sql statement, then you are at risk.Mike Banavige~~~~~~~~~~~~Need a site code sample in a different language? Try converting it with: http://converte...

File security from web-apps with Forms security enabled?
I am developing a series of web-apps, in the process of converting older client-server FoxPro apps.  We are forced to use Forms-level security on our web-apps, due to licensing issues with providing Active Directory Windows-base security, and have adopted the ASP.NET 2.0 security schema.  However, I have ran into a problem because many of our applications use sensitive Word and Excel attachments to the plans we store in the SQL Server 2000 and 2005 databases.  Forms security adequately protects the web-site pages and the database data but when it comes to protecting access to ...

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

File Security Using Forms based Authentication
How does one set up or specify or give a web site set up using forms based authentication permissions to delete a directory on the web server? Which windows user is running if forms based authentication is being used and only Anonymous security is set in IIS? ...

Securing .doc / .pdf or .Xml files under Forms Authentication
hello please help, by default the Forms Authentication only secures .aspx pages by default, what are all the things i could do to safeguard my .doc / .pdf or .Xml files from the anonymous users.kindly reply in detail please, thanks to all in advance for their generous helpwith regards,Gurjit Singh See this blog posthttp://blogs.aspadvice.com/rjdudley/archive/2005/05/21/3622.aspxThanks,Teemu KeiskiFinland, EU I tried viewing this link but I get object reference not set to an instance of an object! Those links broke when AspAdvice was updated, almost a year ago. The working one is h...

Any security issues using Impersonation along with Forms Authentication with Integrated Security (SQL SERVER 2000)?
I currently running a ASP.NET application (Visual studio 2003) with SQL Server 2000. For security I am using forms authentication and integrity security for sql server enabling the ASP.NET account. I am developing a module that create, delete and upload files on  a network directory. If I set impersonation in the web config to true and specify a username/password  will that conflict with my current security? Would it be better to make impersonation specific to this page? Any ideas on the approach?  Thanks    ...

Feedback form was working well, suddenly "The SMTP server requires a secure connection or the client was not authenticated."
 Hi..I have this feedback form on my website which works perfectly fine yesterday...however today, it gave me  this error:The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.5.1 Authentication Required [SmtpException: The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.5.1 Authentication Required. Learn more at ] System.Net.Mail.MailCommand.CheckResponse(SmtpStatusCode statusCode, String response) +881192 System.Net.Mail.MailCommand.Send(Sm...

Securing work files
Hello all, I have a question I hope some of you can answer. Where I work, I share workstations with the rest of my dept. We do not have individual logins we all use the same one. Because of this, anyone can access anyone else's files on the shared network drive. I am looking for a way to secure my work so that it cannot be accessed. Management has me working on things they don't want others to know about but I can't get a logon. I do use a usb key for a personal backup but i want to keep the use of the server backup capability. Any ideas? Thanks, stormad...

Forms Authentication
 As I understand it, the Forms Authentication cookie is encrypted, signed, hashed, etc. If my website relied on the username of the cookie to get the active user, how secure would my website be? I wanted to know if anyone has read or seen anything about this system being broken. Friend, First, the auth cookie is encrypted. Others will not have direct access to the int value. Second, if you are transmitting it only over 128 bit SSL then that will be almost impossible to get at. However, I assume that you, like most people, are only using the SSL on the pages that MUST be secure l...

Secure Form Authentication??
Hi, Could someone please give examples to how a secure form authentication can be performed without the need of SSL? Are there ways to avoid the "free text" over cable?Regardstwyk168 If you must keep data secure over the wire then SSL is a must.Some hosting companies offer plans that have shared ssl on them - maybe an option for you. Rob Millswww.dotnetadvisor.com...

how secure is forms authentication?
With the application I'm building right now, every user has a numerical UserID, and just about all the data in my SQL Server database is linked to that number, so it's very important I keep that number confidential. For the authentication scheme, I have a basic login/pass page where I authenticate a user by using Forms Authentication with cookies, and assigning their UserID to the User.Identity.Name property. Then, on any protected pages, I basically make references to the UserID by saying Int32.Parse(User.Identity.Name). When I combine this with SSL, is this a secure enough scheme to make s...

(IN)SECURE Magazine from Net-Security (PDF download)
A little more light reading :-) Latest issue, #13: http://www.net-security.org/insecuremag.php (86 pages, with ads [not animated ads] - like a printed magazine) Archives of past issues: http://www.net-security.org/insecure-archive.php ISSUE 13 (September 2007) * Interview with Janne Uusilehto, Head of Nokia Product Security * Social engineering social networking services: a LinkedIn example * The case for automated log management in meeting HIPAA compliance * Risk decision making: whose call is it? * Interview with Zulfikar Ramzan, Senior Principal Re...

Web resources about - Secure Excel Files with Forms Authentication Only Works Once - asp.net.security

Authentication - Wikipedia, the free encyclopedia
Authentication (from Greek : αὐθεντικός authentikos , "real, genuine," from αὐθέντης authentes , "author") is the act of confirming the truth ...

Authentication - Facebook-Entwickler
Please note: On October 3, 2012, the offline_access permission will be removed. If you are building...

Facebook Adds Two Factor Authentication for Login and Redesigns Family Safety Center
... announced the release of several new tools to help users stay safe while using the site. Soon, users will be able to enable two factor authentication ...

Lockdown - A better two-factor authentication experience on the App Store on iTunes
Get Lockdown - A better two-factor authentication experience on the App Store. See screenshots and ratings, and read customer reviews.


YouTube - How To Hack Twitter's New Two Factor Authentication
Veröffentlicht am 23.05.2013 Connect! http://toopher.com http://facebook.com/toopherinc http://twitter.com/toopher CEO Josh Alexander wants ...

SafeNet brings Cloud-based authentication service to A/NZ
SafeNet has released its new Cloud-based authentication service, billed as Authentication-as-a-Service, in A/NZ.

Two-factor authentication - cyber security -
Two recent hacking cases highlight how personal emails can impact overall business security through tiny weaknesses.

Digital authentication to become Google's next big focus
Streamlining the website login process a top priority, according to the company’s Australian business and consumer services manager Dan Metcalf. ...

Hands on: Twitter two-factor authentication
Optus and Vodafone customers need not apply when it comes to Twitter's two-factor authentication.

Resources last updated: 12/31/2015 4:05:38 PM