Password Protection - revisited...

[jgodfrey]

Hello All,

While I know how to password selected directories within Abyss, that's not exactly what I'm after.

I have a web gallery (using Simple PHP Gallery) that contains both "public" and "private" folders. Basically, my directory structure looks like this, from my web root:

/blog/gallery/Private
/blog/gallery/Public

When I point my browser to /blog/gallery, there is an "index.php" file there (part of the Simple PHP Gallery system), that creates the navigation for all the gallery subdirectories.

So, that index.php file constructs links to both my "Private" and "Public" gallery folders. Unfortunately, the links look like this:

<mywebsite>/blog/gallery/index.php?dir=./Private
<mywebsite>/blog/gallery/index.php?dir=./Public

I have password protected the "Private" directory within Abyss, but the above link structure does not trigger the protection. I've even tried to password protect various incarnations of the exact link as shown above within Abyss, but I can't seem to protect the directories using this kind of linking structure. I've even tried crazy things like definining the "Virtual Path" for protection as "*Private*", but nothing seems to work.

So, is it possible to protect my directory within Abyss, when it's being accessed through a PHP constructed navigation link as shown above?

Thanks for any advice.

Jeff Godfrey

[aprelium]

jgodfrey,

Abyss Web Server protection works only on URLs that it receives. When you program a script to access a file on your hard drive, it never asks Abyss for authorization. It simply opens the file by calling the operating system functions directly. So it is up to you as the script author to enforce this security/protection if you access files inside a script.
By the way, this is the same situation with all web server: a CGI script is executed by yoru operating system and the web server cannot control its accesses to the operating system features.
_________________
Support Team
Aprelium - http://www.aprelium.com

[jgodfrey]

[jgodfrey]

I'm kind of new to this entire arena, so if what I'm about to suggest is impossible, impractical, or otherwise nonsensical, someone please say so...

Currently, Abyss allows physical directories to be password protected. I'm wondering if it makes any sense to allow the protection of a specific "request", in the same manner that directory protection works today.

For instance, as explained in my original post above, I have password protected a directory called "<mysite>/blog/gallery/Private", which contains private photo galleries. The gallery software I am using creates navigation to the gallery subdirectories automatically, and the links look like this:

<mywebsite>/blog/gallery/index.php?dir=./Private

Clicking the above link, accesses thumbnail images from the Private gallery, but they are not stored in the "Private" directory, so they are not protected. Because of this, anyone can access the Private thumbnails - which is not desirable. In fact, they can also click on a thumbnail and access a larger verison of it. It's not until they click on that "larger version", which is a link to the actual image that the "Private" directory is accessed, which triggers the Abyss password protection scheme. So, two separate versions of the image can be accessed before any protection is triggered. This is what I want to avoid.

Obviously, if the thumbnail and mid-sized image were stored in the Private directory, things would work as expected, but that's not the way "Simple PHP Gallery" works. I could attempt to hack it up, but I'm trying to avoid that.

So, my suggestion is to password protect the above request. For instance, I'd like to say that any request that contains "some string" should be protected just as if it's a directory.

In the above example, maybe I want to protect the following:

"*Private"

So, if the server ever sees a a request containing the above string, it would force password authorization just as it does today with physical directories.

Does that make any sense?

Thanks for any input.

Jeff

[aprelium]

jgodfrey

When such an URL is sent to Abyss Web Server:
<mywebsite>/blog/gallery/index.php?dir=./Private

It is decoded and only the virtual path is used to do the checks, i.e. only /blog/gallery/index.php .

So protecting "*Private" won't solve the problem.

Obviously the script needs some tweaking to work as you expect it. We can see what we can do to change it if you send us your abyss.conf, the script (as it is installed) to support@aprelium.com .
_________________
Support Team
Aprelium - http://www.aprelium.com

[jgodfrey]

[aprelium]

[jgodfrey]