| Groups | Blog | Home |
iis security : isapi filter cookie
I am developing a pay-per-view web based application. I am writing an ISAPI filter that handles the security issues. When a user requests a page with embedded media file located in a particular directory the ISAPI checks whether the request came from a proper place by checking cookies. If verified the file is passed through. Otherwise the user is redirected to a signin page. This works well for html and image files but not for the media files. I noticed that when a request for a media file is processed the cookies are not accessible. I reckon that this is due to the fact that the request comes from the application (ie windows media player) rather than browser and therefore the cookies are not passed. Has anyone dealt with a similar situation? Is there a work around? Would greatly appreciate your comments. best regards
Cookies is primarily client-driven phenomenon over HTTP ( i.e. you're not
going to find cookies specified in the HTTP spec), so if you have a client which does not support cookies... you're out of luck trying to use it. Are you sure the problem is that the client does not support cookies, or is the problem that your server is returning a cookie when the client knows it never set a cookie (so it rejected it on security grounds)? I think you're going to have to find another means of storing state -- perhaps you can keep a list of authenticated IP-addresses on the server and redirect those that haven't logged in (i.e. transform the initial login cookie into an IP stored on the server). -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "ptr" <ptr1024@yahoo.com> wrote in message Hi,news:fb75c062.0311070956.5be88669@posting.google.com... I am developing a pay-per-view web based application. I am writing an ISAPI filter that handles the security issues. When a user requests a page with embedded media file located in a particular directory the ISAPI checks whether the request came from a proper place by checking cookies. If verified the file is passed through. Otherwise the user is redirected to a signin page. This works well for html and image files but not for the media files. I noticed that when a request for a media file is processed the cookies are not accessible. I reckon that this is due to the fact that the request comes from the application (ie windows media player) rather than browser and therefore the cookies are not passed. Has anyone dealt with a similar situation? Is there a work around? Would greatly appreciate your comments. best regards peter
Just use simple url rewriting - embed the value of the cookie in the url
used by media player and strip it out in your filter in preproc headers or redirect the client to the login page or even better, send an access denied error to the client (as media player probably won't be able to display the login page). Jerry [quoted text, click to view] "ptr" <ptr1024@yahoo.com> wrote in message news:fb75c062.0311070956.5be88669@posting.google.com... > Hi, > > I am developing a pay-per-view web based application. I am writing an > ISAPI filter that handles the security issues. When a user requests a > page with embedded media file located in a particular directory the > ISAPI checks whether the request came from a proper place by checking > cookies. If verified the file is passed through. Otherwise the user is > redirected to a signin page. > > This works well for html and image files but not for the media files. > I noticed that when a request for a media file is processed the > cookies are not accessible. I reckon that this is due to the fact that > the request comes from the application (ie windows media player) > rather than browser and therefore the cookies are not passed. > > Has anyone dealt with a similar situation? Is there a work around? > Would greatly appreciate your comments. > > best regards > > peter
Thanks Jerry. that's what I thought...
peter [quoted text, click to view] "Jerry III" <jerryiii@hotmail.com> wrote in message news:<ejekwvYpDHA.2808@TK2MSFTNGP10.phx.gbl>...
> Just use simple url rewriting - embed the value of the cookie in the url > used by media player and strip it out in your filter in preproc headers or > redirect the client to the login page or even better, send an access denied > error to the client (as media player probably won't be able to display the > login page). > > Jerry > > "ptr" <ptr1024@yahoo.com> wrote in message > news:fb75c062.0311070956.5be88669@posting.google.com... > > Hi, > > > > I am developing a pay-per-view web based application. I am writing an > > ISAPI filter that handles the security issues. When a user requests a > > page with embedded media file located in a particular directory the > > ISAPI checks whether the request came from a proper place by checking > > cookies. If verified the file is passed through. Otherwise the user is > > redirected to a signin page. > > > > This works well for html and image files but not for the media files. > > I noticed that when a request for a media file is processed the > > cookies are not accessible. I reckon that this is due to the fact that > > the request comes from the application (ie windows media player) > > rather than browser and therefore the cookies are not passed. > > > > Has anyone dealt with a similar situation? Is there a work around? > > Would greatly appreciate your comments. > > > > best regards > >
I have yet another problem with the filter and the media files which i
cannot figure out... A media file is <EMBEDed into an html page. Bellow is a simple snippet of OnPreprocHeaders code. This is what happens: * when I just pass the url to the media file through the filter AND the url does not contain a query string after the file name (eg /test.wma) it works fine with either 7 or 9 versions of WMP * when I pass the url through the filter BUT the url contains query string (eg /test.wma?v=12345) it fails when accessed via WMP7 (i am getting 'The page cannot be displayed') but works when accessed from a machine with WMP9 installed * when I GetHeader("url") and then SetHeader("url") on OnPreprocHeaders without modifying the url I can access it from WMP9 but not WMP7 (regardless whether a query string is present or not). * this problem does not relate to html, gif, jpeg files Is there some extra information that have to be passed in the header for older WMPs? I tried to add pCtxt->m_pFC->AddResponseHeaders(pCtxt->m_pFC, "Content-type = application/x-mplayer2\r\n\r\n", 0); in OnPreprocHeaders but still the same problem. I would greatly appreciate any help or suggestions many thanks peter PS using the code bellow I can access media files using WMP9 but not WMP7 DWORD COvumFltrFilter::OnPreprocHeaders(CHttpFilterContext* pCtxt, PHTTP_FILTER_PREPROC_HEADERS pHeaderInfo) { char pUrl[1024]; LPDWORD pBufLen = new DWORD; char* pTmp = 0; *pBufLen = (DWORD)1024; for(int i=0; i<1024; i++) pUrl[i] = 0; pHeaderInfo->GetHeader(pCtxt->m_pFC, "url", pUrl, pBufLen); if(strstr(pUrl, ".wma")){ if(pTmp=strstr(pUrl, "?")) *pTmp = '\0'; pHeaderInfo->SetHeader(pCtxt->m_pFC, "url", pUrl); } delete pBufLen; return SF_STATUS_REQ_NEXT_NOTIFICATION; } [quoted text, click to view] ptr1024@yahoo.com (ptr) wrote in message news:<fb75c062.0311100217.425c22f0@posting.google.com>...
> Thanks Jerry. that's what I thought... > > peter > > > "Jerry III" <jerryiii@hotmail.com> wrote in message news:<ejekwvYpDHA.2808@TK2MSFTNGP10.phx.gbl>... > > Just use simple url rewriting - embed the value of the cookie in the url > > used by media player and strip it out in your filter in preproc headers or > > redirect the client to the login page or even better, send an access denied > > error to the client (as media player probably won't be able to display the > > login page). > > > > Jerry > > > > "ptr" <ptr1024@yahoo.com> wrote in message > > news:fb75c062.0311070956.5be88669@posting.google.com... > > > Hi, > > > > > > I am developing a pay-per-view web based application. I am writing an > > > ISAPI filter that handles the security issues. When a user requests a > > > page with embedded media file located in a particular directory the > > > ISAPI checks whether the request came from a proper place by checking > > > cookies. If verified the file is passed through. Otherwise the user is > > > redirected to a signin page. > > > > > > This works well for html and image files but not for the media files. > > > I noticed that when a request for a media file is processed the > > > cookies are not accessible. I reckon that this is due to the fact that > > > the request comes from the application (ie windows media player) > > > rather than browser and therefore the cookies are not passed. > > > > > > Has anyone dealt with a similar situation? Is there a work around? > > > Would greatly appreciate your comments. > > > > > > best regards > > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |