This is a very different security question. Basically I think there are two
major classes of solution.
One is based on randomness and the other is based on a harder core ACL
check in the CGI itself and requires the CGI control access to the file
more tightly.
In Detail:
One way which isn't the most secure is to generate random directories to
place these files in and then put the file in these random directory names
for download. Unless a hacker guesses correctly (eg use an MD5 hash is
pretty strong) which is unlikely, they won't be able to get a file of
someone else's without knowing the session key.
This is subject to brute force checking and is potentially breakable
through other means.
The more secure way is to store the file outside the document tree and
check a database to see if the authorized user can access that particular
uploaded file. If so, then the CGI program itself should open the file and
present it back to the user.
Otherwise, no dice.
At 10:32 AM 9/5/2001 +0800, Rajeev Rumale wrote:
>Greetings to all,
>
>This is really a good thread we have.
>
>How ever as the title is not restricting to database security. I would like
>to add my concern to it.
>
>I need to store some uploaded files from the "visitors" into some
>directories which are inside website root.
>
>Since the files submited are confidential info We need to protect it from
>people directly accessing the files depending upon the ownership rights (the
>actual owner, site admin, site operator, other authorised user).
>
>Any suggestions for same .
>
>Thanking in advance.
>
>Rajeev Rumale
>
>
>
>
>--
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
__________________________________________________
Gunther Birznieks ([EMAIL PROTECTED])
eXtropia - The Open Web Technology Company
http://www.eXtropia.com/
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
