security - Using PHP/Apache to restrict access to static files (html, css, img, etc) -


Indicates that you have a lot of HTML, CSS, JS, IMG and etc. files are in a directory on your server. However, in the internet-land a user can fully access the files by typing as URL:

Now, what if you want to be able to load those files only to authorized users ? For this example, say that your users first log in from the URL:

How will you allow the user to view the index.html file (or "static-file" "), But restricts the rest of the file?

I have come away with two possible solutions in this way:

Solution 1
Adhere to the .htaccess file under "static-file": 

  option + follow on follow link rewrite engine Graphite ^ (. *) $ ../authorize.php?file=$1 [NC]

and then in authorize.php ... 

  If (isLoggedInUser ()) readfile ('static-files /'. $ _ Request ['file']); Second echo 'reject';

This authorize.php file is completely simplified

Deny order, allow denial of all from 000.000.000.000 Allow

and then add my login page Awareness is the .htaccess file that logs the IP address for each user. Obviously this will also require the regularity of any kind of cleanliness to purify the old or now use IP.

I worry that my first solution can be quite expensive on the server because the number of users and files is increasing. I think my second solution would be very less expensive, but due to IP spoofing and etc. it is also less secure. I also worry that writing these IP addresses in the HTACAC file can be an obstacle to the application if there are many users

Which of these solutions looks better, and why? Alternatively, can you think of a completely different solution which would be better than these two?

Consider using a PHP loader to handle authentication, and then you can access your required files return back. For example & lt; Img src = 'picture.jpg' / & gt; Instead of & lt; Img src = 'load_image.php? Image = picture.jpg '/ & gt; .

Your image loader can verify session, check credentials, etc. and then decide whether to return the requested file back to the browser. This will allow you to store all your secure files outside the Web secure route so that no one can just go to WGET or browse 'accidentally' on them.

Just return the right header in PHP and something like readfile () in PHP and he will return the browser's file content.

EDIT: I am creating this time that the system uses this method to load JavaScript, images, and video but css we are not very worried about securing.


Comments

Post a Comment

Popular posts from this blog

sql - dynamically varied number of conditions in the 'where' statement using LINQ -

I am using my first project LINQ (in mvc), so maybe there's something very simple that I remember. However, a day of searching and experimenting does not work, so it works. I am trying to write a LINQ query (Linux to SQL) in which in many cases where the statement is different from an OR or an AND. We do not know how many conditions are going in the query till runtime. This search is for filter control, where the user can choose multiple criteria for filtering. Select from table where table.col = 1 or table.col = 2 or table.col = 7 .... 'Other number of conditions Before I just create the SQL query as a string, while looping over all the situations. However, it seems that there should be a good way to do this in LINQ. I tried to use Expression trees, but they had a second thought for this moment on my head, where the lambda function was to be executed inside the statement such as: values ​​for matchingRows = matchingRows for each value Where (function (row) row.c...
Read more

asp.net mvc - Dynamically Generated Ajax.BeginForm -

I have a problem with ASP.NET MVC Ajax forms. I generate many Ajax form in a table such as: & Lt; Input type = "submit" name = "activity" value = "add activity" / & gt; & Lt;%}% & gt; & Lt; / TD & gt; & Lt; / TR & gt; & Lt;%}% & gt; So far so good. When I post one of those forms, it gives a partial view in a div, and in this new partial view a new Ajax Beginnform (which is not in Genesis form) This second Ajax Beginnorf is exactly like the ones I got on the table, but when I post it, I do not get the "Ajax Post", but a normal post that sends me to a new page, I do not know whether the two Ajax forms What is the reason for the difference between, why is it the "dynamically generated" Ajax form behaves like a normal HTML form? By the way, I know that I can do it in different ways using javascript, but I would like to understand whether it can only be done using MVC helplars and Ajax lib...
Read more

Debug on symbian -

I am using trk for phone debug This works well for the Holorld project But when I start the project in phone debug mode 1) the load failed 2) TrkProtocolPlugin: to target the specified file Failure (please verify If any body understands what problem I am experiencing, then this problem helps me Pre-release If the application has the privileges assigned (with the appropriate certificate) itemprop = "text" > In your case, I will check: / li> If there is no conflict of application ID with any other application of device If there are problematic commands in the installation package (for example copy copy for non-accessible directories)
Read more