Loading ...
Sorry, an error occurred while loading the content.

909Security implemention question

Expand Messages
  • richard@crosswired.co.uk
    Jan 3, 2003
      Hi all.
      I am working on an application for which there are two levels of user.
      User level 1 must upload files to the server, and user level 2 must be able
      to download any files uploaded by users of level 1.
      I have already implemented page level security to restrict each level user to
      the pages for which they are authorised. My problem is that for user level 2
      to be able to download these files, they must be placed somewhere within the
      webroot. I want to prevent user level 1 from downloading these files as they
      are only intended for downloading by users of level 2.

      The only idea I had was to store all files outside of the webroot, and when a
      user of level 2 wants to download these files, they are copied to somewhere in
      the webroot, with a filename such as
      "$current-PID_$current-unixtime_$filename". Furthermore, periodically, (every
      hour for example), delete all files in this folder which are older than an
      hour.

      This way, by also preventing directory listing of this folder, the only way a
      user of level 1 could get these files would be to guess the PID, unix
      timestamp, and filename, all within an hour (before they are cleaned away
      again).
      This I dont think is very likely.

      Can anyone either point out any major problems with this approach, or
      alternatively (preferably), suggest a better alternative ?
      In case it makes any difference to peoples ideas/views, I am not using Apache
      for access control. Users authenticate against a database, then on each page
      they visit, their user level (taken from the session object) is checked
      against the access level required for that page.

      I am using Apache::ASP (latest), mod_perl 1.99, Apache2 (latest), perl 5.6.1

      Thanks for any advice / feedback

      Richard



      ---------------------------------------------------------------------
      To unsubscribe, e-mail: asp-unsubscribe@...
      For additional commands, e-mail: asp-help@...
    • Show all 5 messages in this topic