How to secure a directory
Posted: Sun Apr 02, 2006 7:03 am
I'm in the middle of quite a large project which allows my client to:
To achieve this I thought that each snapshot would actually be a PHP file prefixed with security checking code at the top and containing the report itself below which is only shown if the user is correct (i've done all this stuff before for the system extranet). This way I can secure the report file itself. But that leaves the issue of the images (graphs) that the report uses. It would still be possible just to request these with the correct URL.
Basically the graphs for a snapshot have to be made private to the PHP file that shows that snapshot. So the only solutions I can think of for this problem are:
I'd appreicate any help you can provide so thanks in advance.
ole
- create there own questionnaires (web forms)
- have people fill in them in
- view the responses to the questionnaires in a report
- reports contain graphs which are images, most likely pngs
- This way you won't have to wait around while the server generates a report. You only wait when creating a new snapshot. Graphs and report data that normally have to be dynamically generated can be cached.
- my client will be able to take several snapshots and see how the responses change over time.
To achieve this I thought that each snapshot would actually be a PHP file prefixed with security checking code at the top and containing the report itself below which is only shown if the user is correct (i've done all this stuff before for the system extranet). This way I can secure the report file itself. But that leaves the issue of the images (graphs) that the report uses. It would still be possible just to request these with the correct URL.
Basically the graphs for a snapshot have to be made private to the PHP file that shows that snapshot. So the only solutions I can think of for this problem are:
- store the images as a BLOB in the database
This is not that desirable because there is a performance overhead doing this (which is one of the main reasons for having snapshots in the first place) and also its quite complicated to do. But it would secure the application so it would in that sense WORK - secure the folder with apache htaccess rules
I know you can restrict image downloads to certain referer URLs but that can be spoofed. Could I use HTTP authenication for this? Of course then PHP would have to do the authenication automatically. My knowledge on Apache is limited - Image filename (and thus URL) obfuscating / tokening
Not really that secure, or it is? I suppose I could store tokens for each image in the database. Thoughts? - Storing images outside of document root
Would like to avoid this if possible
I'd appreicate any help you can provide so thanks in advance.
ole