you could contact Walter Lorenzetti, afaik he was working on something
like this.
Regarding the map images in the tmp folder: have a look at the file
names (a combination of session ID and time in microseconds) and then
decide if these names are "guessable"... if you use cookies for sessions
it's also not possible to have a slight risk leakage of session
information via HTTP referrer headers. you should just be aware about
the side effects of cookies for sessions in p.mapper and clear the
session if required (eg. at start up). you can also run a cron job every
minute that deletes the tmp files older than a minute.
or if you (or your customer) are paranoid enough, add an AJAX request to
the map image loading that launches a PHP script to delete the just
created image. You can do this as a plugin, check the scalebar plugin
(in pm. 4.1.), something like
PM.Map.bindOnMapRefresh(function(e){
PM.Plugin.RmTmpFiles.rm();
});
You can extract the current map image name file name from the src
attribute via
$('#mapImg').src();
or just overwrite the default PM.Map.swapMapImg() with your custom
function that launches the AJAX for removing the tmp file.
armin
On 15/12/2010 22:18, Peter Wells wrote:
> Hello all,
>
> I'm in the process of setting up p.mapper for a client who wishes to map
> potentially sensitive data to authenticated users.
>
> Users will need to be authenticated against an SQL db residing at
> another location so I was looking to steer away from .htaccess based
> ideas. If anyone has any pre-existing suggestions, I'd be happy to hear
> them.
>
> Below are some ideas for developing an authentication solution (if
> anyone is interested in discussing this further, please read on...)
>
> At present, I've added a login.php and logout.php which authenticate and
> set php session variables. It shouldn't be hard to adjust all php pages
> so that they only function if the user is logged in, else re-directing
> them to a login page.
>
> My problem at the moment is how to stop people from accessing the
> rendered images in the /tmp folder. If someone (unauthenticated)
> managed to guess a filename under the /tmp folder, they'd be able to see
> previously rendered maps. The only solution I've thought of so far to
> this is to stop apache from serving files directly from this folder and
> instead write some php which reads the correct image and then squeezes
> it out through GD functions or similar (after checking that the user is
> authed obviously).
>
> I suspect I'll end up developing further the idea above unless there is
> something out there that does this already and it would be great to hear
> any thoughts for improvement / criticism from any developers (p.mapper
> or otherwise) on the mailing list.
>
> Kind regards,
>
> Pete
> ------------------------------------------------------------------------------
> Lotusphere 2011
> Register now for Lotusphere 2011 and learn how
> to connect the dots, take your collaborative environment
> to the next level, and enter the era of Social Business.
> http://p.sf.net/sfu/lotusphere-d2d
> _______________________________________________
> pmapper-users mailing list
> pmapper-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/pmapper-users
>
------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
pmapper-users mailing list
pmapper-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/pmapper-users
