numtech
asked on
Apache2 security with PHP sessions
Hello,
I have a web site that browse file on local en display it to users logged on the web site.
the problem is that if someone used a url like :
www.mywebsite.com/my_symbolic_link/user1/photos/photo1.jpg he can get the file.
I have used apache conf to avoid directory listing, so if someone try :
www.mywebsite.com/my_symbolic_link/user1/photos/, He get an error because he is not allowed to list directories...Its a first security, but someone with a securitysoftware can try all posibility and finally found.
So my aim is to prevent this, maybe by forcing users to be logged (so by using PHP sessions) Or by using URL rewriting :
each url containing "my_symbolic_link" is redirect to index.php so nobody can acces directly by URL and is obligated to used the file browser of the website.
For the moment it is the only "clean" way i found but i dont know if its very secure.
Maybe there is a special module for apache...i dont know
I have a web site that browse file on local en display it to users logged on the web site.
the problem is that if someone used a url like :
www.mywebsite.com/my_symbolic_link/user1/photos/photo1.jpg he can get the file.
I have used apache conf to avoid directory listing, so if someone try :
www.mywebsite.com/my_symbolic_link/user1/photos/, He get an error because he is not allowed to list directories...Its a first security, but someone with a securitysoftware can try all posibility and finally found.
So my aim is to prevent this, maybe by forcing users to be logged (so by using PHP sessions) Or by using URL rewriting :
each url containing "my_symbolic_link" is redirect to index.php so nobody can acces directly by URL and is obligated to used the file browser of the website.
For the moment it is the only "clean" way i found but i dont know if its very secure.
Maybe there is a special module for apache...i dont know
Derokorian
You could server up the image from a PHP script instead making the links look something like www.example.com/my_symbolic_link/photos.php?id=1 then in the photos.php script check if the user is logged in, if so fetch the file info from the database, then open the file, output the headers for an image, and then output the contents of the file. If you need more help on this let me know.
ASKER
the problem is that users can create, delete directories as they want! for example url could be
"www.example.com/my_symbolic_link/users1/movies/mymovies/10_11/1.avi"
or even
"www.example.com/my_symbolic_link/users1/movies/mymovies/new/boy/birthday/songs/10_11/1.avi"
etc...
So i have do idea of the structure under users1... my website is litterally doing a "ls" in php and showing it in the php-browser i made. Thats why the browser has the right to "cd" and "ls".
More, they could be enormus number of file so info into database is not possible.
"www.example.com/my_symbolic_link/users1/movies/mymovies/10_11/1.avi"
or even
"www.example.com/my_symbolic_link/users1/movies/mymovies/new/boy/birthday/songs/10_11/1.avi"
etc...
So i have do idea of the structure under users1... my website is litterally doing a "ls" in php and showing it in the php-browser i made. Thats why the browser has the right to "cd" and "ls".
More, they could be enormus number of file so info into database is not possible.
Hi,
you could set a cookie when the user logs in to the site and check for the cookie in .htaccess file.
If the cookie isn't there you can redirect them to the login page.
Delete the cookie when they log out and you can set the cookie to expire x minutes from login...
When the user creates their folder you would need to copy the .htaccess into that folder.
you could set a cookie when the user logs in to the site and check for the cookie in .htaccess file.
If the cookie isn't there you can redirect them to the login page.
Delete the cookie when they log out and you can set the cookie to expire x minutes from login...
When the user creates their folder you would need to copy the .htaccess into that folder.
ASKER
cookies are really not secure, and i dont want to create a .htaccess in the folder because its to intrusive.
I don't know how to take the statement "cookies are really not secure", neither are user login names and passwords unless you are on ssl, and if you are on ssl your cookies are also encrypted when sent.
Are you expecting people to be packet sniffing your traffic? Are you worried about people having physical access to your users computers, accessing their temporary files and reading their cookies?
You might need to step back and determine exactly what your security requirements are. Doing this will provide insight into what options are available to you.
Are you expecting people to be packet sniffing your traffic? Are you worried about people having physical access to your users computers, accessing their temporary files and reading their cookies?
You might need to step back and determine exactly what your security requirements are. Doing this will provide insight into what options are available to you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That sounds like it will work if you don't want anyone to ever be able to access the files in that folder.
ASKER
i was the only one to find a viable solution