#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2001
    Location
    Washington DC, USA
    Posts
    156
    Rep Power
    14

    web application security


    Hello,


    I'm first and foremost a ColdFusion developer but lately I've been spending a lot of time learning Perl and PHP. These kinds of questions apply to just about any kind of web app development platform, so here goes...

    What does everyone think is the "best" way to secure different parts of a web application? Doing it on the application level (via scripts) is great for protecting the application files, but it doesn't do anything to protect "flat" files you might not want touched (sensitive documents, spreadsheets, etc).

    Conversely, standard Apache-style authentication blocks everything in the directory, but isn't customizable from a visual or programming standpoint.

    Has anyone built some kind of PHP module that allows for the combination of the two - using PHP to control a kind of HTTP-authentication, so you can simultaneously protect the application and other flat files but also do it using PHP and not Apache?

    Just curious, thanks.
  2. #2
  3. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2001
    Posts
    3
    Rep Power
    0
    Maybe you could try this...

    Setup your PHP Scripts so they are protected via an authentication script that checks the sessionID to validate whether the user has access to it.

    Then, store your sensitive documents outside your /home/public_html root folder, so no visitor to your website can view them. (i.e. /home/files)

    When the user wants to download the spreadsheet or word document send them to the download script.

    The download script has authentication. But what its primary functionality is to copy the file requested from a internal directory(/home/files) to a external website visible directory(/home/public_html/files). The script copies the file with a unique name (Md5?) for the user to download.

    Lastly, you could have a cron run another script that checks the directory where you are copying the renamed files for download and deletes the files if they are older than x(5) minutes. Then if the person had bookmarked the file download link, it would no longer exist.

    What do ya think?

    Michael Weck
    President
    CompleXero, inc
    www.complexero.com
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2001
    Location
    Washington DC, USA
    Posts
    156
    Rep Power
    14
    Thanks for responding. It's funny because I've actually done something similar to that with an extranet / file sharing application I wrote. I moved all the file storage off the web root and used ColdFusion (although you could do it even better with Perl or PHP I'm sure) to dynamically stream the new header and file to the browser so they download it... sort of like what download.com or many of the other big sites do.

    Great suggestion though and some interesting ideas with the cronjob and such! I'm hoping to hear from some other people and see what they've done.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2001
    Location
    Washington DC, USA
    Posts
    156
    Rep Power
    14
    Hey, you mentioned something about generating unique file names with MD5 (checksums?) and it occured to me that I've spending a lot of time trying to find a good "unique identifier" algorithm for files and database entries, etc. Could you explain that technique to me a little bit more? I'd appreciate it. Thanks!
  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2001
    Posts
    3
    Rep Power
    0
    MD5 as I understand it takes any string and converts it to a 32character variable.

    To ensure that your MD5 result will be 'unique' you need to pass a unique string. There are many ways to create unique strings, but most involve something like this:
    $string = time() . $userID . $filename . rand(1, 12000);
    $uniqueID = md5($string);
    $uniqueID = (a 32 Char value)

    All the MD5 is doing is encrypting/hiding the data to make it unique and not easy to decode by visually looking at it. It is not meant for "decoding" and returning stuff.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2001
    Location
    Washington DC, USA
    Posts
    156
    Rep Power
    14
    Thanks a lot for that info - that's really useful. Fortunately ColdFusion's Hash() function can accomplish the same thing for me for now. Darned content management systems always need those unique identifiers

IMN logo majestic logo threadwatch logo seochat tools logo