Building a client extranet which will have several users with role based permissions stored in a database allowing them to view php-based project pages with links out to uploaded static content. All php pages have included auth check for user:project permissions, but how to add protection for deeper static files (.html, .gif, .jpg, .swf, etc) if someone discovers the actual path and accesses directly?
A link to a file would be something like:
/review.php?rid=789
which would actually be a pointer to a static file like:
/clients/client_name/project_name/date/foo.html|jpg|gif etc
Considering some kind of mod_rewrite that checks cookie values based on project permissions using a rewritemap. I suppose I could set a cookie that had an md5 hash of user's current project directory path and check with the rewrite condition to see if the 'client_name/project_name' was found in the URI. The rewritemap file would contain the hash table. But this is starting to seem convoluted. Is there a better approach before I even begin that someone would recommend (something with https, http auth using mysql, etc)? Otherwise, you can expect a follow-up post to chart my slow wading into the mod_rewrite logic as I am not sure how to use the cookie value once grabbed to use against the rewritemap values. Thanks alot in advance for any ideas and apologies for the muddiness of this scheme at this point.