WebFile Security

Hi All,

I would like to lock-down access to some webfiles on a per-session basis.

Webfiles have a nifty feature for this!
http://documentation.xojo.com/index.php/WebFile.Session

However… when my WEBSDK control attempts to load the file using JavaScript, It fails when the webfile.session property is set.

Does anyone have any ideas?

Whether or not the WebFile.Session property is set changes the WebFile.URL property, so make sure you set it to the value you want before retrieving the URL.

Thanks for the tip! I don’t think that’s the issue though.

[code]
Public Function CreateWebFile(strData as string) as string

TempWebFile as new WebFile
TempWebFile.Data = strData
TempWebFile.ForceDownload = True
TempWebFile.Session = self

dicWebFiles.Value(TempWebFile.URL) = TempWebFile

Return TempWebFile.URL

End Function[/code]

Here is the code i used.

The object is then loaded into a JS variable on the browser using the returned link.

I don’t see any reason that would cause the problem you are describing… unless the dicWebFiles dictionary is getting reinitialized somehow.

Mhhhh interesting… everything works just fine with TempWebFile.Session = self commented out. is there any way I can get some more information about how the session authentication works under the hood? Perhaps the way my JS downlaods the file prevents the authentication from working.

First of all, if you are creating webfiles within the context of a Session, you should never have to do what you are doing… that is, setting Session to Self is redundant. The only time you should actually need it is if you want it to be Nil or to set it to a specific session from an even that runs on the main thread, like a socket or timer event.

WebFiles which are attached to sessions must have the sessionID in the url and be downloaded from the same IP address that the browser is connected from.

Security through obscurity - there are no cookies. All requests are based on unique URL that includes the session identifier. For example creating a txt file as such:

[code]
Object1.Data = “Test text”
Object1.ForceDownload = True
Object1.Filename = “test.txt”
Object1.Session = Session

MsgBox(Object1.URL)[/code]

Produces:

/E82DF5794987478E091B42F1222D8996091A45CB/files/7280-9482-5692-4459-3819/test.txt

The first part is the unique session identifier.

No IP address, user agent, or otherwise checks are done to verify it is in fact the same “session”.

[quote=362483:@Greg O’Lone]

WebFiles which are attached to sessions must have the sessionID in the url and be downloaded from the same IP address that the browser is connected from.[/quote]

Are there exceptions to local area network because I can confirm IP address is not validated in a LAN environment.