OK guys… here goes my first attempt at a tutorial. It is basically a summary of the input from many users in this thread: http://www.antionline.com/showthread...=&display=show

Other pertinent links are listed at the bottom. Info on how this works in other browsers would be appreciated. All my testing was in IE.


BACKGROUND INFO (So you Know Where This Is Coming From)
----------------------------------------------------------------------------------------
The question posed was simple: Can anyone think of a way to protect a download link so that people cannot see where the download is coming from?

The poster went on to explain why this was needed. He thinks that people are using a direct link to download his company's software (thus bypassing the registration page). FYI, the poster was running IIS 5 and also stated that forcing a username/password was not an option (according to his higher ups).



DESIRED RESULT:
----------------------------------------------------------------------------------------
ASP solution to mask download source to avoid direct downloads



SOME PROPOSED IDEAS:
----------------------------------------------------------------------------------------
IDEA: Use http-referer to determine if user came from the registration form and then redirect them to the download page.
PROBLEM: Download page would still show a link to the file, meaning a direct path to the file could be attained by looking at the html source.

IDEA: Using a redirect straight to the file (not to an html or asp page containing a link to the file). PROBLEM: SittingDuck said it simply "If you think about, how does the browser know where to download the file from? If the browser knows, then so can you." Header information sent to the browser on the redirect WILL reveal the source file's path on the server and can easily be tested using Achilles. In addition, IE will open known file types with appropriate handlers rather than forcing a download. I tried this method with a zip file and got a bunch of encoded text displayed in my browser - not a viable solution if you ask me!

IDEA: 1) Person buys the software, and a dynamically generated link is sent to them. That link has an order number in it that specifies it as that specific download. The link is actually a script that is used to push the program out to the user. 2) When the user clicks on the link, the script parses the url, looks up that order number in the database, and serves up the program(s) that they purchased to them. 3) A cron job comes through nightly and deletes the link (script) that was created after 3 days so it is no longer accessible.
PROBLEM: I don't know what program does this on IIS. Comments/Suggestions welcome! I would assume this would be a corporate program and, if so, we have to factor in cost. Link would still be available until auto-deleted by the system, but that doesn't seem like too much of a risk to me.



SOLUTION I LIKE THE MOST (Can't vouch for others in the thread)
----------------------------------------------------------------------------------------
IDEA: Using the http-referer suggestion from above and, upon validating that the user has come from the registration page, streaming the file to the user rather than attempting to load/save the file through a traceable proxy request.



SOURCE FILE (gleaned from http://www.planet-source-code.com/xq...s/ShowCode.htm )
----------------------------------------------------------------------------------------
FYI - A working example of these files can be viewed at http://www12.brinkster.com/bluebeard96/

This code will force a download (in IE, at least) of ANY file type, including common types that the browser usually loads... htm/asp/gif/jpg/txt, etc).

I made modifications to this code to add the http-referer check and add additional comments for the tutorial.


<%
If request.servervariables("http_referer") = "http://www12.brinkster.com/bluebeard96/form.asp" Then

If request.form("name") = "" then
Response.write "name is a required field. Please try again."
Else
' Constants for Reading Text File
Const ForAppending = 8
Const ForReading = 1
Const ForWriting = 2
Const TristateFalse = 0
Const TristateMixed = -2
Const TristateTrue = -1
Const TristateUseDefault = -2

' File System Objects
Dim FSO
Dim TS

' Server File (this is the REAL name of the file)
Dim strFile: strFile = Server.MapPath("sourcefile.txt")

' File to Save As (this is the name you want to tell the browser)
' Note: this does NOT have to match the name of the actual file!
Dim strFileSave: strFileSave = "savedfile.txt"

' Tell Browser what the file name is, so it doesn't try to save as "formproc.asp"
' Since the only info sent through the proxy is for the .asp page, we need to tell
' the browser what file name to show when you click "Save To Disk"
Call Response.AddHeader("Content-Disposition","attachment; filename=""" & strFileSave & """")

' Write out content-type that will FORCE user to SAVE FILE.
' "image/gif" will display in browser
Response.ContentType = "bad/type"

' Initialize File System Object
Set FSO = Server.CreateObject("Scripting.FileSystemObject")

' Open TextStream for Reading
Set TS = FSO.GetFile(strFile).OpenAsTextStream(ForReading,TristateTrue)

' TS.ReadAll DOES NOT WORK. Every Byte must be read and written individually.
' I think you can read them in Chucks, but this was easier. If you know how to
' Read chunks... go ahead, read chunks
' Output MUST be BinaryWrite

Do While Not (TS.AtEndOfStream)
Response.BinaryWrite(TS.Read(1))
Loop

' Cleanup, like all good programmers do.
TS.Close
Set TS = Nothing
Set FSO = Nothing

Response.End
End If
Else
Response.Write "This file can only be accessed through our registration form"
End If
%>





CONCLUSIONS:
----------------------------------------------------------------------------------------
By loading the download as a stream rather than an individual file, we have successfully bypassed the proxy. The end user has NO knowledge of where the file is located.

By implementing a simple check on the http-referrer, we can verify that users came from the registration form. As far as filling out the form, well… that's up to the webmasters to implement effective form field validation. Granted… with this proposed solution somebody could provide false info in the form, be directed to the file stream, and receive the file. The bottom line, though, is that they don't have a direct link to use or pass on in the future… thus fulfilling the original request.




PERTINENT LINKS:
----------------------------------------------------------------------------------------
Test Site Home: http://www12.brinkster.com/bluebeard96/
Try to click on the link to formproc.asp and notice that it will NOT work (as it is not the correct referer)

Test Site "Registration Form": http://www12.brinkster.com/bluebeard96/form.asp
One text field… no test other than verifying that the field is not null

Achilles Proxy (to view the info sent to/from your computer when you make web requests):
http://www.packetstormsecurity.com/f...-0-27.zip.html

Source Code:
http://www.planet-source-code.com/xq...s/ShowCode.htm



Thanks Everyone! Comments are welcome. Let me know if there's any way I can do better on tutorials in the future!!