views:

556

answers:

5

Lets say you have lots of html, css, js, img and etc files within a directory on your server. Normally, any user in internet-land could access those files by simply typing in the full URL like so: http://example.com/static-files/sub/index.html

Now, what if you only want authorized users to be able to load those files? For this example, lets say your users log in first from a URL like this: http://example.com/login.php

How would you allow the logged in user to view the index.html file (or any of the files under "static-files"), but restrict the file to everyone else?

I have come up with two possible solutions thus far:

Solution 1
Create the following .htaccess file under "static-files":

Options +FollowSymLinks  
RewriteEngine on  
RewriteRule ^(.*)$ ../authorize.php?file=$1 [NC]

And then in authorize.php...

if (isLoggedInUser()) readfile('static-files/'.$_REQUEST['file']);
else echo 'denied';

This authorize.php file is grossly over simplified, but you get the idea.

Solution 2
Create the following .htaccess file under "static-files":

Order Deny,Allow
Deny from all
Allow from 000.000.000.000

And then my login page could append that .htaccess file with an IP for each user that logs in. Obviously this would also need to have some kind of cleanup routine to purge out old or no longer used IPs.


I worry that my first solution could get pretty expensive on the server as the number of users and files they are accessing increases. I think my second solution would be much less expensive, but is also less secure due to IP spoofing and etc. I also worry that writing these IP addresses to the htaccess file could become a bottleneck of the application if there are many simultaneous users.

Which of these solutions sounds better, and why? Alternatively, can you think of a completely different solution that would be better than either of these?

+6  A: 

I would consider using a PHP loader to handle authentication and then return the files you need. For example instead of doing <img src='picture.jpg' /> Do something like <img src='load_image.php?image=picture.jpg' />.

Your image loader can verify sessions, check credentials, etc. and then decide whether or not to return the requested file to the browser. This will allow you to store all of your secure files outside of the web accessible root so nobody is going to just WGET them or browse there 'accidentally'.

Just remember to return the right headers in PHP and do something like readfile() in php and that will return the file contents to the browser.

I have used this very setup on several large scale secure website and it works like a charm.

Edit: The system I am currently building uses this method to load Javascript, Images, and Video but CSS we aren't very worried with securing.

angryCodeMonkey
Thanks Shane. This loader is basically what I describe in my first solution. My concern with it is the server expense, but I am glad to hear that it worked well for you in your "large scale secure website".
Bart
I don't typically use the .htaccess rules you mentioned above (though I see no reason not to) I just create some wrapper functions that build the correct query strings and pass arguments. Since your server typically serves back binary data anyway the only additional overhead is PHP processing which (at least to me) is well worth the security you gain especially vs the .htaccess overhead of having it check many (hundereds|thousands) of ip addresses for EVERY page request in the system. Just one of many ways to skin this cat I think! Let me know if you come across something else!
angryCodeMonkey
A: 

Maintaining the contents of the htaccess files looks to be a nightmare. Also, your stated objective is to prevent non-authenticated users not non-authenticated client ip addresses from accessing this content - so the approach is not fit for purpose:

Multiple users can appear to come from the same IP address

A single users session may appear to come from multiple addresses.

I worry that my first solution could get pretty expensive on the server as the number of users and files they are accessing increases

If you want to prevent your content from leaching and don't want to use HTTP authenitcation then wrapping all file access in an additional layer of logic is the only sensible choice. Also, you don't know that using PHP for this is a problem - have you tested it? I think you'd be surprised just how much throughput it could deliver, particularly if you use an opcode cache.

I'm guessing your 'simplification' of the wrapper addresses issues like mime type and caching.

C.

symcbean
PHP is definitely a problem for this on heavy-duty sites with many calls. It's not just the putting through the data; the whole user authentication process has to be performed for every single small resource. This usually weighs a few MBs or RAM, and that each time per requested resource.
Pekka
define "heavy duty"? I've had much more complex scripts processing half a million hits per day on a 1ghz celeron with 512 Mb of memory (OK, actually 4 times that volume on 4 servers) pulling in data from a DB and still giving response times averaging 250 ms.
symcbean
No I haven't tested it yet. But regardless of the details, a web server simply serving a file has got to be less expensive than PHP running, performing some filesystem functions like `is_file` and `stat`, and then finally serving the file via `readfile`.
Bart
+1  A: 

Create a rewrite map that verifies the user's credentials and either redirects them to the appropriate resource or to an "access denied" page.

Ignacio Vazquez-Abrams
Yes! I played a little bit with this same idea after originally writing this question. A RewriteMap were it rewrites to the originally requested URL if authenticated and a denied page if not authenticated. For the life of me I couldn't get it working. I couldn't even get Apache to start up when specify a PHP script in PRG. Do you have any examples or tips for using this type of technique? My setup is: Apache 2.2 / PHP 5.2 / Windows Server 2008
Bart
The script needs to be executable which on Windows means that .php has to be associated with the PHP CLI executable. Also, the script should call `flush()` upon output, and should loop back and wait for further input; the script is started on httpd startup and is killed on httpd shutdown.
Ignacio Vazquez-Abrams
A: 

I have been thinking a lot about the same issue. I am equally unhappy with the PHP engine running for every small resource that is served out. I asked a question in the same vein a few months ago here, though with a different focus.

But I just had an awfully interesting idea that might work.

  • Maintain a directory called /sessions somewhere on your web server.

  • Whenever a user logs in, create an empty text file with the session ID in /sessions. E.g. 123456

  • In your PHP app, serve out images like this: /sessions/123456/images/test.jpg

  • In your htaccess file, have two redirect commands.

  • One that translates /sessions/123456/images/test.jpg into /sessions/123456?filename=images/test.jpg

  • A second one that catches any calls to //sessions/(.*) and checks whether the specified file exists using the -f flag. If /sessions/123456 doesn't exist, it means the user has logged out or their session has expired. In that case, Apache sends a 403 or redirects to an error page - the resource is no longer available.

That way, we have quasi-session authentication in mod_rewrite doing just one "file exists" check!

I don't have enough routine to build the mod_rewrite statements on the fly, but they should be easy enough to write. (I'm looking hopefully in your direction @Gumbo :)

Notes and caveats:

  • Expired session files would have to be deleted quickly using a cron job, unless it's possible to check for a file's mtime in .htaccess (which may well be possible).

  • The image / resource is available to any client as long as the session exists, so no 100% protection. You could maybe work around this by adding the client IP into the equation (= the file name you create) and do an additional check for %{REMOTE_ADDR}. This is advanced .htaccess mastery but I'm quite sure it's doable.

  • Resource URLs are not static, and have to be retrieved every time on log-in, so no caching.

I'm very interested in feedback on this, any shortfalls or impossibilities I may have overlooked, and any successful implementations (I don't have the time right now to set up a test myself).

Pekka
Care to explain the downvote?
Pekka
A: 

Hello,

I wrote a dynamic web application and deployed it on Webshere Application Server, and here is the way how I secured my static files :

I first added

<login-config id="LoginConfig_1">
  <auth-method>FORM</auth-method>
    <realm-name>Form-Based Authentication</realm-name>
      <form-login-config>
        <form-login-page>/login.html</form-login-page>
        <form-error-page>/login_error.html</form-error-page>
       </form-login-config>
</login-config>

in web.xml which will tell your webserver to use form based authentication(code to use login is given below).

code to login page :

<form id="form1" name="form1" method="post" action="j_security_check" style="padding: 0px 0px 0px 12px;">
        Username: 
          <label>
          <input name="j_username" type="text" class="font2" />
        </label>

        <br />
        <br />
        Password:
        <span class="font2" >
        <label>
      <input name="j_password" type="password" class="font2" />
      </label>
      </span> 
        <br />
        <br />
            <label>
        <input type="submit"  class="isc-login-button" name="Login" value="Login" />
        </label>
    </form></td>

To make form based login happen you have to configure your webserver to use a particular user registory which can be LDAP or database.

You can declare your secure resources and whenever a user tries to access those resources container automatically checks that whether user is authenticated or not. Even you can attach roles also with the secure resources. To do this I have added following code in my web.xml

<security-constraint>
        <display-name>Authenticated</display-name>
        <web-resource-collection>
            <web-resource-name>/*</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>PUT</http-method>
            <http-method>HEAD</http-method>
            <http-method>TRACE</http-method>
            <http-method>POST</http-method>
            <http-method>DELETE</http-method>
            <http-method>OPTIONS</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description>Auth Roles</description>
            <role-name>role1</role-name>            
            <role-name>role2</role-name>            
        </auth-constraint>
    </security-constraint>

    <security-role>
        <role-name>role1</role-name>
    </security-role>
    <security-role>
        <role-name>role2</role-name>
    </security-role>

So this code will not let user see any static file( since /*) until he is logged in under role role1 and role2. So by this way you can protect your resources.

GG