0

So a little background of the situation first:

I have a 3rd party application that has been written only to work within it's directory itself and also only with JSON files.

Now the problem I have is that it is all pretty much written in js, jquery and angular. Which means no file can be behind the root directory because javascript is not allowed to call files behind the root directory. Also I would prefer not to expose the file location unless I protect it somehow with some kind of password or session based system.

So my question is the following:

Is there a way that I can leverage .httpasswd or some other technology that will prevent bots or someone accessing data directly or through a url without passing maybe a get param so that it can confirm that they have rights and also have the get param expire so someone can't just simply give this url to someone else and say hey go for it.

So basically a session hash or something of this nature.

Example:

C:/wwwStufff/webRoot/3rdPartyApp/somejsFile
C:/wwwStufff/webRoot/3rdPartyApp/projectData
C:/wwwStufff/webRoot/3rdPartyApp/projectData/projects.json
C:/wwwStufff/webRoot/3rdPartyApp/projectData/project1/project.json

So pretty much I want to be able to protect the whole projectData folder anytime someone tries to access a file even a JSON file they have to pass some kind of hash and it will let them access it.

Matt
  • 68,711
  • 7
  • 155
  • 158
NextGenDevelopment
  • 29
  • 5
  • 2
    Are your users supposed to be able to open the page directly and see the results **without entering a password**? Then by definition the data is public and whatever you do will have very little effect on a bot simply impersonating a normal user exactly. If OTOH your users will go through some sort of authentication process which involves passwords, then yes, you can and should have a proper server-side authentication procedure. – deceze Mar 06 '17 at 10:33
  • We have a user login authentication system yes. But my concern is that if they figure out a direct access to a file that they will be able to make it directly to files. Such as this ajax makes call to http://example.com/3rdPartyApp/projectData/project1/importantfile.json They see this. Grab the url directly to this file then pass this url to others. and people can access this directly. – NextGenDevelopment Mar 06 '17 at 12:57
  • Then yes, it is absolutely wrong to allow anonymous access to that file in the first place. The question is whether your web server can be tied into your existing authentication scheme or not. Oftentimes the web server doesn't support whatever password scheme you're using easily, so just protecting the files with .htaccess or so may not be possible. You need to write some backend PHP service which does the authentication and outputs the JSON only if that passes. – deceze Mar 06 '17 at 13:00
  • Do you know a system that can tie into iis and or apache. That has a php framework already? – NextGenDevelopment Mar 06 '17 at 13:06

0 Answers0