?
Solved

PHP, Session and protect folder

Posted on 2004-11-15
12
Medium Priority
?
450 Views
Last Modified: 2012-06-27
I made a small framework to let users here administrate small web info pages.

They can upload documents, images, and make some pages protected by folders. ALL DOCUMENTS ARE UPLOADED IN A SINGLE FOLDER FOR A USER (image for the public site, or private document).

To protect page, i add a Cookie/Session mechanism on page they choose to protect. The problem is that if a user decide to add security to a page, and in this page, put a link to a document (so a link to a document uploaded in the user folder), the PHP page is protected, but the link to the document should implicitely be protected too. Same for problem for IMAGES (<IMG>) inserted in this page. The IMG shouldn't be accessible if users are not authenfied.

Who could give me a solution, architecture to implement that kind of protection for a multiple user framework ? Thanks.
0
Comment
Question by:eeolivier
9 Comments
 
LVL 48

Expert Comment

by:hernst42
ID: 12583204
To do this its the best to use custom tags for such links of pictures and documents. like [img]imageame[/img]
Then use
$text = preg_replace('#\[img\]([^]]+)\[/img\]#iUe', "checkimg('\\1')", $text);

in the function checkimg you implement the check to see if the current user has the right to view that image.
function checkimg($name) {
   if (isEntiled() || strstr('public', $name)) {
       return "<img src='$name'>";
   } else {
       return '';
   }
}

Same is possible for other tags. You can also use the hrml-tags and parse them, but that regex is a little bit more difficult.

Just my 2 cents how to do this.
0
 

Author Comment

by:eeolivier
ID: 12583378
Maybe i didn't explain well.

In fact , if a user in a protected page put "<IMG SRC="http://localhost/images/toto.jpeg">", my cookie session system don't protect the http://localhost/images/toto.jpeg file, so in a browser I can type "http://localhost/images/toto.jpeg" and get the picture
0
 
LVL 48

Accepted Solution

by:
hernst42 earned 500 total points
ID: 12583442
Do you have any information if such a file belongs to a private or public page or maybe both, except that such a link is referenced inside a page.

If you have such information you might have a look at http://www.wazzup.co.nz/tutorials/protect_pdf/index.php how files can be protected. I think you will need to rewrite parts of you application so the user decides on the upload if this file is public or private. Then you can check the file via such a script as given in that link if someone is allowed to get the file or not.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 20

Assisted Solution

by:virmaior
virmaior earned 500 total points
ID: 12584387
if you have access to htaccess, then you can protect  the files in each directory.

I've shown this solution elsewhere for other problems.

http://www.experts-exchange.com/Web/Web_Languages/PHP/Q_21202995.html#12564758
http://www.experts-exchange.com/Web/Web_Languages/PHP/Q_21204635.html#12565798

Fundamentally, you set an htaccess file so that all access is natively denied
but you use the errordocument function to have another php file check for access based on your own rules
this in turn serves the page (either by processing with include() for php or by reading readfile() for non-php (JPG, etc))
implementing it as multi-user just involves checking the permissions based on the directory path in conjunction with the user's rights.  

To do this just parse the directory path and check for the rights that way.
0
 
LVL 9

Assisted Solution

by:_GeG_
_GeG_ earned 500 total points
ID: 12585907
the other way is to rename the files:
ie
the user uploads image1.jpg
your script stores image1.jpg with a random file name (osnduoifrno) and puts the random - real file name relation in a database.
if somebody wants to retrieve image1.jpg, they cally your script
script.php?file=image1.jpg
and you script simply looks up the random file name in the database and sends it's contents by file_get_contents().
If people cannot see a listing of your directory, they have no way of knowing the random file names.
0
 

Assisted Solution

by:sergio_ga
sergio_ga earned 500 total points
ID: 12624972
As a mix of solutions offered by virmaior and _GeG_ you could use <a href="http://httpd.apache.org/docs/mod/mod_rewrite.html">mod_rewrite</a> to translate URL from:
<code>http://domain.com/users/user_name/file_name.ext</code>
to:
<code>http://domain.com/users/user_name/getfile.php?file=file_name.ext</code>
or
<code>http://domain.com/users/getfile.php?user=user_name&file=file_name.ext</code>
or whatever you like.
getfile.php will check if user is authorised to retrieve file and will(or won't) output the file.
0
 
LVL 48

Expert Comment

by:hernst42
ID: 12825479
Split: hernst42 {http:#12583442} & virmaior {http:#12584387} & _GeG_ {http:#12585907} & sergio_ga {http:#12624972}
0
 
LVL 9

Expert Comment

by:_GeG_
ID: 12827653
I was wondering last month why I had received so few points. Now I know, because the askers do not close the questions!
Thanks mods for checking this!

btw I agree with the split that hernst42 suggests.
0
 
LVL 20

Expert Comment

by:Venabili
ID: 12893686
Just a note -- I am not a Moderator but just a Cleanup Volunteer (and Page editor actually but in other areas) and Cleanup is a normal process -- in some areas slower in some areas faster but it is going on :)

Thanks for the responses. They really help :)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The title says it all. Writing any type of PHP Application or API code that provides high throughput, while under a heavy load, seems to be an arcane art form (Black Magic). This article aims to provide some general guidelines for producing this typ…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.
Suggested Courses
Course of the Month14 days, 23 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question