Our Products:   CompleteFTP  edtFTPnet/Free  edtFTPnet/PRO  edtFTPj/Free  edtFTPj/PRO
0 votes
12.3k views
by (280 points)
Hi,

I am currently using your trial version of integralFTP javascript and I am considering to buy a license. The included examples are getting me pretty much to where I want to go, but I have a question regarding the account information. I want to use integralFTP to give my site users the possibility to upload big files (up to 500mb or so). Anyway i want them to connect to their personal folder automatically, now the question: Since I don't want any of them to know anything about the ftp login I want to hide these variables, but the FTPclient needs them. How would I go about this ? Can I put them somewhere else ? or encrypt or something. Or am I missing something ?

your help is much appreciated,

Dilari

7 Answers

0 votes
by (51.6k points)
Hi Dilari

There is a fundamental problem in that, in the end, the browser has to send the password, which means that the browser has to know the password at that point. And if the browser knows it then it's possible for a person with access to that specific browser session to be able to get access to it.

Having said that, it's certainly possible to make it very hard to get access to it.

I suggest the following scheme:

When the user signs into your web-app, encrypt the password using the session ID and put it in a cookie.

When the browser needs to access the FTP server, grab the encrypted password from the cookie, decrypt it and use it to log into the server. This means that the password is not in the source, but only in an encrypted form in a short-lived cookie.

Obviously this requires that the client-side Javascript has the session ID for decrypting the password. Since this is on the client-side, it is possible for a hacker to get access to the password but they would need to know the session ID, so as long as that is kept secret it would be impossible for them to do that. Obviously the session ID is safer if this is happening over HTTPS.

Incidentally, you wouldn't have to use the session ID; you could use some other value that's known temporarily by the browser.

Does that make sense or have I misunderstood your question?

- Hans (EnterpriseDT)
0 votes
by (280 points)
Ok thanks for the quick reply !

I understand the problem, that's why I asked. I'll look into it. Since my users are fairly trusted this might be enough.

Dilari
0 votes
by (280 points)
Hi Hans,

Now that I actually understand better the way this has to be done, it raises the question:
Is using the integralFTP javascript version the best way to achieve what I want to do ? Are there better ways, considering security, that you'd recomment ? Perhaps provide each user with it's own ftp-account ? Allthough I am not sure how to automate that, but that's not your concern offcourse..
The main point is letting users upload (very) big files..

I am aware it might be a bit of an odd question....sorry for that !

thanks again!

dilari
0 votes
by (51.6k points)
It's an interesting problem. I guess essentially what you want is to (1) link the user-lists of the web-app and the FTP server, and (2) link their authentication modules such that when you're logged into one then you're also logged into the other. This couldn't be done without explicit cooperation from the FTP server, so you'd need some specialized functionality there. If you don't have that, then you can't get around having to (temporarily) store the password on the client-side, which is clearly a risk.

I'm not really sure what the answer is. We do have own own FTP server (CompleteFTP) and have discussed adding features to facilitate this sort of task, but really I doubt that there's a lot of demand for it, so it probably couldn't be justified in terms of development costs.

I'd be very interested to hear your thoughts though. This is clearly a problem of growing importance (i.e. uploading really large files), so we are certainly interested.

- Hans (EnterpriseDT)
0 votes
by (280 points)
Hi Hans,

Thanks again for your reply, I really appreciate your help.

Your description indeed is what would be my ideal scenario. You mention 'some specialized functionality' on the FTP-server. Do you have any more specific thoughts on that or any information on in what direction I should start looking for such options ? Configuring FTP servers is not really something I know much about.

I will post here if I find anything that brings me closer.

FTP is the way to go, right? for uploading large files.

Dilari
0 votes
by (51.6k points)
My guess would be that there aren't any FTP servers that would actually enable you to do that, at least I haven't heard of it.

Generally FTP, FTPS or SFTP are the preferred way to transfer really large files, but to the best of my knowledge integrating these with a web-app is not something that's really been possible until IntegralFTP became available. And, as you've discovered, it still isn't possible to make it really secure due to the need to resend the password when establishing the FTP connection.

I'm sorry, but I haven't really got a great solution for you.

- Hans (EnterpriseDT)
0 votes
by (280 points)
Since it (intregalftp) still is what comes closests to my needs I'll give it some more try though. I figured that since my users are signed in allready, I know who they are. Together with restricting them to access only one personal folder and encrypt the login like you suggested and the fact that the uploaded files only live for at most 1 hour and can only be imagefiles and wil be moved and never accessable through the browser (other than via ftp). It should be a reasonable limited risk..( if all of this is achievable..it might be to heavy serverside...(?)).

Would it be possible to auto-change the ftp login, say, every 5 minutes and send that to the app on request..?

When (if) I get it all setup, I'll post it here..

Dilari

Categories

...