vrobinson

I can confirm what Smef said about crawlability, too. I had to deal with something like this and took a somewhat more complicated, but I think even further secure approach (you can tell me if think it is). Details at http://fmforums.com/forum/topic/78348-hiding-passuser-on-website/

This is a 2 year old thread, but I recently faced a related issue on a public site (an extranet), where we weren't willing to expose the SC server (a different machine from the FM server) and needed to hide the data parameters. With Tomas' idea in mind, I came up with a means of using cURL to do something similar. The challenge was creating useable PDF url's in each record, without using GET or a POST to pass a document ID (used by SC to create the file locations in the first place). We also needed to avoid revealing a public path to the SC server altogether, since once revealed, an ordinary user would be able to easily guess alternate id's in the path and end up seeing other clients' docs.) I ended up creating a custom, 7-line PHP page on the fly for each referenced PDF, into unique folders based on (logged-in) user id, document ID, and a random string (for good measure). These folders and their pages (one per document) reside in the public web folder, so the obfuscation is necessary. (A brute-force botnet might find them, but at least a crawler would not, since the links are behind a login.) As a further security measure, these folders are deleted when the user logs out (manually or via timeout). The code is in a foreach (hence the $i's) for writing out the corresponding rows in an html table: // page-common -- included outside the foreach but included here for clarity $root = '/web/root/display/'; //local fiesystem path to writeable directory $user = $_SESSION['id_user']; $file = 'index.php'; $baseURL = "http://supercontainer.local/SuperContainer/RawData/"; // row-specific $doc = $d_id[$i]; $rnd = mt_rand(1000, 1000000); $code='<?php $url = ' . $baseURL . $doc . '/'; header("Content-type: application/pdf"); header("Content-Disposition: inline; filename=PBL Report - ' . $docLabel . '.pdf"); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_exec($ch); curl_close($ch); ?>'; // more than one doc per user if (!is_dir($root . $user)) { mkdir($root . $user); } if (!is_dir($root . $user . '/' . $doc)) { mkdir($root . $user . '/' . $doc); } if (!is_dir($root . $user . '/' . $doc . '/' . $rnd)) { // using the rnd directory proliferates these subdirectories upon page reload ($rnd is reset), but all are cleaned up on logout mkdir($root . $user . '/' . $doc . '/' . $rnd); } $fpath = $root . $user . '/' . $doc . '/' . $rnd . '/' . $file; $a = fopen($fpath, 'w'); fwrite($a, $code); fclose($a); echo '<a href="/display/' . $user . '/' . $doc . '/' . $rnd . '/">View</a>'; I'd still prefer to have these written into a directory outside the web root. I'll amend this if I come up with a way to do so. If you've done anything similar -- or have a better method, I'd love to hear about it.