hiding pass/user on website

[Guy Willett]

Hi,

I thought I would post this as a topic that might help someone else...There is probably a better/easier way of doing this but, hey, I am no expert!

My setup:

Remote FM server (a mac server) accessed by distant FM clients (over internet) and a website served from same machine.

My issue:

Part of my SuperContainer is for storing sensitive documents that need to be as secure as possible.

Part of my SuperContainer is for storing images used on a website.

Problem:

complete filepath including supercontainer user/password are shown in the imgsrc url on the website

Solution:

Use SuperContainer (plugin) to move the web images through a symbolic link to a folder in the websites images directory. This means the filepath used in the web page imgsrc is '/images/image.jpg' rather than 'http://myserver.com/SuperContainer/Files/whatever/image.jpg?username&password'. So evil spies can't see my user/password. Great!

note:

As well as the step above, I also use the applet in webviewers (hides the url when loading) and have already added a user and password to the xml file (supercontainer is installed on FMS). In addition I use SSL and 'random' long folder names as described in the documentation.

This means that no FM users see my supercontainer user/password or the random folder names, neither can website visitors. SSL stops eaves dropping. This means my SuperContainer and its contents are pretty secure, and no-one can type 'myserver.com/SuperContainer/Files/whatever' and upload/delete stuff without guessing a difficult user/password....

Thanks for reading!

Any comments welcome - I am a newbie at this computer lark and so its a steep learning curve!

Cheers

Guy

[Tomas]

If I understand you correctly, you need a way to show pictures from the SC without revealing the path and password?

I do like this, please tell me if its good or bad (some error checking stripped from the code)....

index.php

<img src="image.php?imgid=1240">

 and image.php looks like this.

$name = "http://server.com/SuperContainer/RawData/images/".$_GET['imgid']."?username=user&password=password";

readfile($name);

it has worked for a while now, so I hope it continues ....

[vrobinson]

This is a 2 year old thread, but I recently faced a related issue on a public site (an extranet), where we weren't willing to expose the SC server (a different machine from the FM server) and needed to hide the data parameters. With Tomas' idea in mind, I came up with a means of using cURL to do something similar. The challenge was creating useable PDF url's in each record, without using GET or a POST to pass a document ID (used by SC to create the file locations in the first place). We also needed to avoid revealing a public path to the SC server altogether, since once revealed, an ordinary user would be able to easily guess alternate id's in the path and end up seeing other clients' docs.)

 

I ended up creating a custom, 7-line PHP page on the fly for each referenced PDF, into unique folders based on (logged-in) user id, document ID, and a random string (for good measure). These folders and their pages (one per document) reside in the public web folder, so the obfuscation is necessary. (A brute-force botnet might find them, but at least a crawler would not, since the links are behind a login.) As a further security measure, these folders are deleted when the user logs out (manually or via timeout).

 

The code is in a foreach (hence the $i's) for writing out the corresponding rows in an html table:

 

// page-common -- included outside the foreach but included here for clarity

$root = '/web/root/display/'; //local fiesystem path to writeable directory
$user = $_SESSION['id_user'];
$file = 'index.php';
$baseURL = "http://supercontainer.local/SuperContainer/RawData/";

// row-specific

$doc = $d_id[$i];
$rnd = mt_rand(1000, 1000000);

$code='<?php
  $url = ' . $baseURL . $doc . '/';
  header("Content-type: application/pdf");
  header("Content-Disposition: inline; filename=PBL Report - ' . $docLabel . '.pdf");
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_exec($ch);
  curl_close($ch);
?>';

// more than one doc per user
if (!is_dir($root . $user)) {
  mkdir($root . $user);
}
if (!is_dir($root . $user . '/' . $doc)) {
  mkdir($root . $user . '/' . $doc);
}
if (!is_dir($root . $user . '/' . $doc . '/' . $rnd)) { // using the rnd directory proliferates these subdirectories upon page reload ($rnd is reset), but all are cleaned up on logout
  mkdir($root . $user . '/' . $doc . '/' . $rnd);
}

$fpath = $root . $user . '/' . $doc . '/' . $rnd . '/' . $file;

$a = fopen($fpath, 'w');
fwrite($a, $code);
fclose($a);

echo '<a href="/display/' . $user . '/' . $doc . '/' . $rnd . '/">View</a>';

 

I'd still prefer to have these written into a directory outside the web root. I'll amend this if I come up with a way to do so. If you've done anything similar -- or have a better method, I'd love to hear about it.