Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Senior Coder TheShaner's Avatar
    Join Date
    Sep 2005
    Location
    Orlando, FL
    Posts
    1,126
    Thanks
    2
    Thanked 40 Times in 40 Posts

    ASP and IIS Authentication Problem

    Hi, I'm using IIS 5.1 to host some ASP pages I developed.

    One of the ASP pages allows for file uploading, which then stores the file in a specified folder on the server; next, using CDOSYS it emails it as an attachment; and lastly, it deletes it from the server folder since it has now been emailed. The file upload is accomplished via pure VBScript (no installed components), just to give you a bit more info.

    I have found that in order to get this to work without receiving a "Permission Denied" error is to uncheck Anonymous Authentication for my website folder (wwwroot in IIS). Now, this works fine as long as I'm accessing from localhost. If I change to accessing the page with my IP address in the address bar, I'm prompted with a login because now I'm not using Anonymous Authentication that internet guests use (IUSR_<machinename>).

    How can I allow outside users to be able to upload to the server without requiring Authentication? Because take for example a company that allows uploads for Resumes for employment purposes. Naturally you don't want the user to have to go through any kind of authentication, but still be able to upload their resume to your server.

    I mean, with Anonymous Authentication checked, I could easily set the Folder Security Permissions of wwwroot to allow IUSR_<machinename> the ability to do more than just read, like write, modify, and delete (which corrects the problem of course), but that seems very unsafe to allow that to outside users. If I just modified those permissions to the folder used for uploads to allow creating and deleting of files, instead of wwwroot, would that be ok security- and safety-wise?

    Thanks for any input!
    Last edited by TheShaner; 09-07-2005 at 10:22 PM. Reason: Noticed only my upload folder permission's needed to change to allow Anon Authen

  • #2
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    You should try adding the IUSR account onto the security permissions for the folder your site is hosted in or wherever the files are being saved at and give it write permissions. That way people won't need to login in. Hopefully that makes sense.
    OracleGuy

  • #3
    Senior Coder TheShaner's Avatar
    Join Date
    Sep 2005
    Location
    Orlando, FL
    Posts
    1,126
    Thanks
    2
    Thanked 40 Times in 40 Posts
    Yep, makes sense. So far I've conceded to just giving the permissions of being able to create/write files and delete for the upload folder, which allows me to keep Anonymous Authentication checked without giving me a Permissions Denied error on my ASP pages. I'm just hoping that won't give me any kind security breach with leaving that kind of access to that folder. I would think I'd be fine since I'm only constraining it to that one folder, but I just wanted to make sure, and was hoping someone might be able to shed a little more light on this area since I'm still pretty new to this. Thanks for the reply.

    -Shane


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •