Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Using SFTP in a web page (really dumb question)

WillAffleckUW (858324) writes | about 2 years ago

User Journal 8

OK, so today I'm trying to write a web page to link a bunch of known files and transfer them to another location.

Due to HIPAA and VA rules this has to be a secure file transfer, encrypted.

When they get to our site, they have to login as a specific user. The user belongs to a group. The site forces HTTPS secure connection if they try to come in as HTTP.

So, normally, if I wanted to provide a link to a file I would go something like this:

OK, so today I'm trying to write a web page to link a bunch of known files and transfer them to another location.

Due to HIPAA and VA rules this has to be a secure file transfer, encrypted.

When they get to our site, they have to login as a specific user. The user belongs to a group. The site forces HTTPS secure connection if they try to come in as HTTP.

So, normally, if I wanted to provide a link to a file I would go something like this:


get important file

Can I just use SFTP in place of FTP? Or if I specify FTP will it literally invoke FTP on the browser end? Since the entire thing is running under SSL2 for SSH is this just plain overkill?

Or am I just being extraordinarily clueless?

I ask, cause normally I write code that uses PHP and runs MySQL commands and literally builds the output files - CSV, XLS, etc - from scratch, and sets the transfer type and authentication level. But this is so primative - a literal ONE FILE TRANSFER LINK - that I can't remember what to do, as the last time I did something like that, not using FOPEN() and scanning a dir and popping an array and building stuff was like ages ago in Internet time, and back then we used FTP.

THANKS!

cancel ×

8 comments

ok, so I think I may have an answer (1)

WillAffleckUW (858324) | about 2 years ago | (#40644329)

Just going thru all the W3C web stuff I get "These functions are meant for detailed access to an FTP server. If you only wish to read from or write to a file on an FTP server, consider using the ftp:// [ftp] wrapper with the Filesystem functions"

As I'm reading it, it seems to be saying, based on some other areas, that since we're already running under HTTPS (secure SSL HTTP), the browser invocation of FTP will be in a secure instance and you can just use the "ftp://" invoke directly in an anchor tag, and it will still be secure and encrypted.

Seriously, that is just too simple. Probably why I spaced it.

Re:ok, so I think I may have an answer (1)

Nethead (1563) | about 2 years ago | (#40645635)

Thanks for the update on what you found. I was about to try it and pull out a sniffer. I still may just to see exactly how the protocol works. To wet to weed-eat the yard anyway.

Re:ok, so I think I may have an answer (1)

WillAffleckUW (858324) | about 2 years ago | (#40664651)

Thanks, it would be useful to hear what you found

Re:ok, so I think I may have an answer (0)

Anonymous Coward | about 2 years ago | (#40646069)

you can just use the "ftp://" invoke directly in an anchor tag, and it will still be secure and encrypted

wait, wat?

First, ftps is reserved for SSH's file transfer protocol. ftps is FTP+SSL just like https is HTTPS+SSL. Use the right terminology or everyone will hate on you. Especially in the healthcare field where we're trying to get everyone to pull their heads out of their assess and use the interwebs for claim submission instead of dialup or fucking frame relay.

Second: "ftp://" invokes the FTP protocol, using the FTP port, which is assuredly not encrypted (by default). Unless you have the server setup to deny access to unencrypted authentication AND content (warning: most servers default to only encrypted authentication) then you are neither secure nor encrypted. Also note that IE's built-in FTP client is shit and aside from sucking ass, doesn't support encryption. Have your client download Filezilla, CoreFTP or, hell, just about anything but a web browser.

Re:ok, so I think I may have an answer (0)

Anonymous Coward | about 2 years ago | (#40646125)

dammit, nerd raging so hard I fucked up my own shit.

sftp is SSH's file transfer protocol
ftps is FTP+SSL

Re:ok, so I think I may have an answer (1)

WillAffleckUW (858324) | about 2 years ago | (#40664681)

yes, but we have all our servers set up to take any ftp or http request and turn it into an ftps or https. Seriously, when you come in on a raw http: feed it turns into an https: feed and so on.

As to ports, we don't use the defaults.

Re:ok, so I think I may have an answer (1)

WillAffleckUW (858324) | about 2 years ago | (#40664707)

Also, my "client" is the VA, they have no control over their physical boxen.

Final answer is, just link the raw files (1)

WillAffleckUW (858324) | about 2 years ago | (#40665557)

So, given it is running HTTPS with specific user name and specific login and in a specific directory, just provided a direct file link which shipped it over the connection and the browsers invoked the XLS and CSV translator programs they were specified to use, from which they were prompted to save.

Geesh, that was too simple. I was thinking I'd have to specify it.

Guess not.

By the way, yes, our server runs under a credential that is NOT public. Makes us semi-invisible.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...