I have a site that grants access to content in various forms (PDF, MP3, MP4 etc) to authenticated users. The site has been developed for me by a 3rd party developer on LAMP. Users authenticate with the application using a username/password stored in a MySQL DB. They do not authenticate with Apache, MySQL or any other mechanism.
Recently, a penetration test of the site identified a few apparent vulnerabilities. The one that has me scratching my head is the requirement for authentication to download javascript files. Obviously the browser needs access to this JS content to make the application run and this means exposing at least some files publicly.
My questions is this: Is there a way to prevent users who have not logged in to the application from accessing certain files?
I have seen solutions like a .htaccess version suggested for content files.
e.g.
Options +FollowSymLinks
RewriteEngine on
RewriteRule ^(.*)$ ../authorize.php?file=$1 [NC]
If I split up the JS code into public/private folders is there a way to serve up java-script i this manner rather than just including it wholesale? Will this work for javascript?
Thanks
It sounds like you require a separate path for authentication only ... a login path. This path will allow only public assets to be downloaded. Successful authentication redirects the user to your secure path. Logout action redirects user to the login path.