On May 24, 6:31 pm, Andy Waschick <a...@[EMAIL PROTECTED]
> wrote:
> On 2007-05-14 11:10:44 -0500, ll <barn104_1...@[EMAIL PROTECTED]
> said:
>
> > I am looking for a way to integrate a member section into my cf photo
> > gallery. I am looking at having a general directory that has its own
> > images directory (for the general public) and a member directory under
> > that, which is protected and contains the images that only members can
> > access.
> > I wonder if there is a better way, though, in which I can store all
> > images in the same directory, possibly all under the protected area?
> > I appreciate any ideas.
>
> I set up a protected file database for a client a few years ago, and
> gave this issue of files-at-a-premium some thought. I suppose there
> are a couple of points to think about, which as we go farther down the
> list lets us indulge in more paranoid fantasies about how much somebody
> might try to get at your precious images.
>
> The problem with any web-accessible directory is that it's
> web-accessible. That's sort of the whole point. So, if you want to
> prevent somebody from getting those files tem****arily, you have to put
> them somewhere where they cannot get at them.
>
> Security through obscurity is probably enough of a challenge for the
> typical functionally-retarded web audience member out there... I mean,
> nobody knows what the names of the files in the galleries are to begin
> with except your database, so if you just set a field to mark whether a
> file is premium content or not, you can probably get something that
> gives the appearance of security without really having to go the whole
> distance.
>
> My client, though, was also concerned about people downloading a
> sensitive do***ent and then the link they clicked on to get the
> do***ent falling into unauthorized hands. Just because they had to
> enter a password to get the link does not mean the link does not exist
> for everybody else in the world. The solution to this problem was the
> Karate Kid defense-- you know the one, where Mister Miyagi says "the
> best defense is to no be there".
>
> I wrote a download link generating CF module that pulled the path of
> the file-- stored in a directory OUTSIDE the public web root
> directory-- and then mangled the filename with some random characters
> at the end. It copied the source file and renamed it in a public
> directory, gave the user a link, and then set a CF scheduler event to
> fire off in 10 minutes that called a module that would delete the file.
> The user could then safely get the file and shortly after they were
> finished, the link they clicked would magically turn into a 404 error.
>
> The latter idea might be a little extreme, but the concept is the same
> in that if your users don't know what to ask for, they can't have it,
> even if it's living in a public directory on your server.
>
> Hope this gives you some ideas.
>
> Andy
Andy,
Many thanks for your comprehensive thoughts and approach to this!
They will definitely go 'into the mix' as I look at my approach.
Would the link from your main page to the download generating module
always remain the same (authentication, etc?)
Regards,
Louis
|
