protecting static files within authenticated php site

Fix it!!

protecting static files within authenticated php site

Postby johnc » Thu Jul 31, 2008 3:17 pm

Building a client extranet which will have several users with role based permissions stored in a database allowing them to view php-based project pages with links out to uploaded static content. All php pages have included auth check for user:project permissions, but how to add protection for deeper static files (.html, .gif, .jpg, .swf, etc) if someone discovers the actual path and accesses directly?

A link to a file would be something like:

/review.php?rid=789

which would actually be a pointer to a static file like:

/clients/client_name/project_name/date/foo.html|jpg|gif etc

Considering some kind of mod_rewrite that checks cookie values based on project permissions using a rewritemap. I suppose I could set a cookie that had an md5 hash of user's current project directory path and check with the rewrite condition to see if the 'client_name/project_name' was found in the URI. The rewritemap file would contain the hash table. But this is starting to seem convoluted. Is there a better approach before I even begin that someone would recommend (something with https, http auth using mysql, etc)? Otherwise, you can expect a follow-up post to chart my slow wading into the mod_rewrite logic as I am not sure how to use the cookie value once grabbed to use against the rewritemap values. Thanks alot in advance for any ideas and apologies for the muddiness of this scheme at this point.
johnc
 
Posts: 2
Joined: Thu Jul 31, 2008 2:36 pm

Postby richardk » Fri Aug 01, 2008 3:42 pm

A link to a file would be something like:

/review.php?rid=789

which would actually be a pointer to a static file like:

/clients/client_name/project_name/date/foo.html|jpg|gif etc

So review.php is used when accessing every file in /clients, using readfile() or similar? Then you can block access to the whole of /clients.

Considering some kind of mod_rewrite that checks cookie values based on project permissions using a rewritemap. I suppose I could set a cookie that had an md5 hash of user's current project directory path and check with the rewrite condition to see if the 'client_name/project_name' was found in the URI. The rewritemap file would contain the hash table. But this is starting to seem convoluted.

You should be able to do that.

something with https

HTTPS just encrypts the data between the client and the server.

http auth using mysql

mod_authn_dbd
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby johnc » Sat Aug 02, 2008 2:39 pm

Yes, nothing in clients should be accessed directly via browser URL, but there is one catch. Sometimes the review file is an .html file with associated images/media files in that deep review folder. If I were to use a readfile() type method in that case and just render the index file at the root level, those linked files would lose their associations. Not seeing a way around that, I started in with the cookie notion. But could mod_rewrite help get around that? Thanks for your insight, richardk.
johnc
 
Posts: 2
Joined: Thu Jul 31, 2008 2:36 pm

Postby richardk » Sun Aug 03, 2008 3:28 pm

Mod_rewrite can't check the permissions without a RewriteMap, and you will need some way of identifying the user.

The mod_rewrite would be something like (in the site's <VirtualHost>)
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteMap permissions prg:/path/to/permissions/script.php

RewriteCond %{HTTP_COOKIE} ^(.*;\ )?the_cookie_name=(.+?)(;\ .*)?$ [NC]
RewriteCond ${permissions:%2!%{REQUEST_URI}|0} ^0$
RewriteRule ^/clients/.+$ - [F,L]

The script will be passed "cookie_value!request_uri" (stdin).
Your script should return 0 (stdout) if the user does not have permission to view the URL.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am


Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: No registered users and 1 guest

cron