Permissions and user login issues

Hi

Im doing something right now which is really hard drive cacheing.
It also uses one ASP page only as the main page for all pages, using the 404 error direct, it gets the name of the page.
Using the names it checks the database for categories, pages, and listings with that name as the title.
if it exists it runs the main code and displays it to the user. If not found it gives a 404 response and displays an error page.
All the page links are like this; About_Us.htm, Default.htm, and folders are done the same way - Homes/New_Home.htm ... etc

When the main ASP page is loaded by a user there is first a check which looks at a time interval, in this case 2 days, if the text file doesnt exist, or
if it is older than, say 2 days, the file is deleted if it exists, and then created (updated), and the main code writes to the browser.

If the file exists and is within the time interval, it is opened and the text is written to the browser. Uses FileSystemObject.

The time interval is based on the date/time the text file is created and the interval setting.

Basically it creates a text file of the dynamic created webpage and then loads it.
if it exists it opens and then shoots the text to the browser ..

Okay here is the thing .. it works good. Also both the 404 Error Name, and the Cacheing, are Class files.
The 404 Error class and the Cache class can work individually BTW.

Now you can set a Folder to save them to in the settings, and that is the folder you open write permissions on.
I also wrote an asp page that allows me to do a basic hard coded login and delete all those files and folders like after ive done a bunch of changes, so I will see those changes ASAP.
This will eventually be a part of the actual back end. The folder name is hard coded into the Asp page.

So ive been going through other ways to make it even faster .. originally actually it cached in Application Variables but for sure that was a no no!
With this file based method Ive had to assign the quota for a certain amount of space ofcourse, for everyone, but it is only in one hard coded folder so no real issues.

I have 2 Options.

#1 - Keep it as is - it does some calculations before loading the page whether it is cached or not.
If I leave as is, is there a way to make sure only certain types of files are allowed to be written to that folder?
This whole post is really about security and persmissions, you will see in the next option.

#2 - One ive been toying with and it works on my local server ...
Leave out the subfolder name if I want to, therefor the text files are created in the HTDOCS folder .. and as HTM pages, for example.
So basically every page that is loaded, if the HTM page actually exists it is loaded as a plain static page which is even faster - since it exists no 404 error is given.
If it doesnt exist, the Main ASP page takes care of the 404 error and creates it.
And a way to fix the updating of the static file after that interval is up, is to include the main ASP page in an image src tag at the very bottom
of each static page created. Even if that ASP page has some work to do, very little if the file actually exists, as it is located after the HTML is displayed
it does not slow down the loading of the static page. I also updated the page that deletes all the files and folders to only delete HTM files in the HTDOCS folder and dont delete folders that are essential such as 'images' etc, and Front pAge ones such as anything with a _ in the folder name. This method works also, but I have a couple questions:

A-Since I would need to allow write permissions to the HTDOCS folder for everyone, is it possible to set read only permissions to the other essential folders in that directory?
If so then I could put the main ASP page in a protected folder

B-As with above, is there a way to login in inside the code as the Admin and then create the file, so persmissions are not needed to be write for everyone?

C-Comments on any of this regarding security issues?

Thanks

Rory

PS. if anyone is interested in the 404 Error Class Code, let me know and Ill post it here and how to use it.

Bahamas Security - BahamasSecurity.com
Bahamas Real Estate - KnowlesRealty.com

Post Edited (roryknowles) : 5/9/2006 5:37:11 AM GMT

 

I'm trying to understand why you are concered about the security of writing the files?

Are the files that are written uploadable, or modifyable by the user? if so you can restrict the extension name that is written to '.htm' or '.html', by always appending .htm or .html to the end. Though it might still be possible to perform a server side include. Though random web users that do not have access to your application will not have permissions to just stuff files onto your website.

What you are referring to in scenario B is called impersonation and it can be pretty complex, I'm not sure you can do this in classic asp.



Your application seems fairly complex... I would actually recommend you spend the time andconvert to asp.net. There are some really nice page caching methods that would work perfectly for you in asp.net. You can create a page like "about_us.aspx" and have it pull it's data directly from the database. You can then specify the cache time on that file, so the page is stored in memory and served immediately (doesn't pull from database or disk!).

This would also greatly reduce the complexity in your site. Less complex = less things to break and easier to maintain.

Here'ssome articles on output caching...
http://www.codeproject.com/aspnet/cachingaspnet.asp
http://msdn2.microsoft.com/en-us/library/e3w8402y.aspx


Joel Thoms
DiscountASP.NET
http://www.DiscountASP.NET

 

You wont have to worry about anyone having access to your account through the web.





The only times people are able to "hack" sites is through an exploit or a vulnerability in an application they've installed or built. Just make sure your application wont let people in, and you should be good to go.


Joel Thoms
DiscountASP.NET
http://www.DiscountASP.NET

 

Cool thanks .. just wanted to double check ..

what do you think of the speed in general ..?
I can turn off the cacheing and let you see how slow it is without .. /emoticons/wink.gif

Post Edited (roryknowles) : 5/10/2006 7:33:22 PM GMT

 

Hi, just was curious as to any risks with that .. i set the other folders to read only though and so far that option is working well.
Basically there really isnt any major risk then .. no there is no upload on the main folder besides using front page ..
there is one page that does the delete but I have to login run it.

Its a 3000 line class file that does most of the website work, so nope wont be redoing that in .net . As it is I am breaking it up into class files, and common procedures, the parts that do specific things ..
And will be taking some Database and template things out and putting them into text/htm based files just things that arent needed. The big class does alot of work and on an Access DB at that .. plus the servers have been kind of slow lately (hint hint). Basically it creates web pages based on Categories , Pages, and listings, so can create form pages and other pages simply in the database ..

Got it to work pretty well. The class file that does the check and saving to the HDD is only maybe 400 lines, and thats with alot of spaces .. /emoticons/wink.gif
I can change the Interval so it creates/updates them quicker (or not at all), and also can delete all that have been created whenver i make changes .. or just a specific file ..

View it here .. http://www.knowlesrealty.com

gotta clean up the HTML side now .. going to get rid of most of the tables and replace with Div tags ..

thanks ..
Rory

 

The pages are very quick to load.



Joel Thoms
DiscountASP.NET
http://www.DiscountASP.NET

 

cool thanks ..

hey here is mycache class used in another example ..
Basically shows how you can cache blocks of a page instead of the whole thing .
Also shows how you can Run Dynamic Code inside those blocks.
There are 2 blocks in this example, one on the right, one on the left ..
They both also have a function included in the text which are run no matter
if it is cached or not .. so essentially a block could be a whole page and there
could be certain dynamic procedures throughout the page .. such as for a
shopping cart .. thats what im working on now actually .. I can have certain
asp procedures cached for different lengths of time .. like the cart always must change,
but the whats new only needs to change when I update it manually like once a week or so ..
and the featured products maybe every 24 hours .. hey, less stress on the servers /emoticons/smile.gif

www.bahamassecurity.com/Cache.asp

This is what the basic page actually looks like ..