We have IIS and win2K server for our company website, that is hosted by us. We have a registered area that gives access to certain pages by login.
Our login system is based on mysql and aspx/asp pages and I was wondering if there was a way to protect directories without using the windows users. We have some word docs and pdfs that can be downloaded if the paths are guessed. We are going to do an aspx transfer so the link is not as accessible, but I just think a username and password for any file in a directory (based on our custom login) would be more secure. We use a session validation curently.
I for some reason think there are people out there that can scan a website and see what files are physically on the box. We have dir browsing off, but when a coworker had some directory management software try it on our site, there were files that showed up that I didn't think they could see, or wanted them to see.
So am I paranoid, or is there a risk? The pdf downloading is my main concern. Thanks for any help.
Yeah I know it's odd. My coworker and I use php and mysql for our personal sites, so we knew mysql better than mssql. For a while we were using both, and just decided we liked the ease of mysql/phpmyadmin better. It is difficult to find help with that combination though Our pres is a microsoft fanatic so asp/aspx is what have to write.
Our login is currently done by asp and .dbf files and com objects that our president wrote, but it locks us out of making any changes and has many problems. He wants the switch to aspx, so I wanted the switch to control the data. Our company writes accounting software with CA visual objects and dbf is the ancient database they use, so that may give you a glimpse into where I am coming from. Quite clunky and not the best for web use. We have a lot of applications that are working quite well with the mysql/asp-aspx combo, but I am no expert so I'm sure there are more efficient ways to do it.