7 Replies Latest reply on Jun 12, 2007 1:37 PM by csawall

    Application Security - Protecting the files from direct access

      I am working on my application. I have a Flex app that everyone will access but to do the work, I have it calling on several PHP files. The Flex app has a login system and only allows advanced functionality after login. This protects the Flex portion, but does not really account for the PHP side of things.... The PHP files do a variety of things, mostly SQL calls, but also run a few system commands.

      How do you set up the PHP files or use an htaccess file to only allow the Flex app to call the PHP files? I'd like to set it up so that the users can't directly access the PHP files. However, I'm sure the client workstation is still making the request when called by the Flex app, right?

      Has anyone done this? Does anyone have any thoughts or suggestions on this?

        • 1. Application Security - Protecting the files from direct access
          In your PHP file you could make it only allow the IP of the server the Flex app is on (if it is a dedicated IP meaning that it doesn't change) or you could create an additional string (token) that the Flex app sends to the PHP file showing that it is the app, and in the PHP file if the token is sent and is correct run the script otherwise do nothing except maybe echo out an error message. The only way someone would get through to the script is to know your token.
          • 2. Re: Application Security - Protecting the files from direct access
            csawall Level 1
            The idea of restricting the src IP in the PHP files may be an idea and I'll investigate it. I'm not sure about adding a token as anyone running the Flex app could watch the POSTs or GETs and get the "token" that allows access.

            Any one else have any good ideas? I think that a lot of people would find this useful.

            • 3. Re: Application Security - Protecting the files from direct access
              Hi csawall,
              These are just some off the top ideas, you can extrapolate and create a solution that might work:
              Since the client has access to the data stream to/from the server, there is no way to guarantee that someone won't use some kind of sniffer program to find what file the flex app is talking to, but that doesn't mean that you can't obfuscate it as much as possible to make it not worth trying.

              One idea was to use a single index and use _GET to control what content is being served, using includes on the php side to serve the proper file/content.

              Since the content you are delivering I would assume requires authentication, you'll have a unique session ID to work in. While the actual php file could be accessed in real time if you watched the data stream, if the user is already authenticated, what diff does it make? Set up specific rules inside your php file, so that it must receive data using a specific protocol, one that you can obfuscate using crypt and base it on variables that are unique, such as SSID + date + time, etc. When you first authenticate with the server from the flex app, have the php login script return the required protocol rules back to the flex app that would be unique to the session. The _SESSION variables on the server would contain the unique protocol rules as well. This gives you server side control over talking to the flex app... then all you would need to do, if you wanted to keep a tighter lid on the access to your script, is just rotate the protocol from time to time.
              Add on top of this, script name obfuscation that you store server side and transfer only withing the validated session, such as e.g. fstrs4adadst4_somefile.php etc etc, where your randomized key is the prefix (or suffix whichever you prefer) of your index. Your code of course would use the current protocol keys to match the current index, and all you need do is control the .htaccess file so that it relays any $_somefile.php to the proper file/directory etc which would be a name that would never be revealed to the public, and only used inside your .htaccess file or on the server side itself.

              Taking it a step further, if you create some kind of pulsing authentication system using the above methods, you can rotate the keys fast enough, so that someone would have to work really hard to figure out the protocol to talk to your server

              Just my 2 cents...
              • 4. Re: Application Security - Protecting the files from direct access
                csawall Level 1
                RFX - I appreciate the ideas. I am sure it will work, but I think it may be too complex for me to figure out.... I'm not really a full time programmer. I wonder if there's a simpler way? It doesn't have to be too extreme, I'd just prefer to only allow the app to call the PHP pages.

                Sandersky - The more I think about your IP idea, which would be nice, I'm not sure it will work. When the client launches the flex app any calls the flex app makes to PHP files on the server come as a client request from the client itself, not the server. So restricting it to the server IP could be an issue.

                Any other thoughts?

                • 5. Re: Application Security - Protecting the files from direct access
                  schjlatah Level 1
                  I too am dubious of the IP restriction idea since the referencing IP address will never be the same. Flex runs on the client machine and thus uses the client's IP address, so that isn't really an option.
                  I don't know PHP, but is there a _referencingFile option, like a way to find what application name submitted the request? If so, only allow for responses to whatever your flex app is called. That too could be faked, but it is something.
                  • 6. Re: Application Security - Protecting the files from direct access
                    levancho Level 3
                    you can restrict only apache to access the files, that will be the easiest way(assuming you are serving php files with apache) it can be done through .htaccess,and istead of specifying box ip address you specify localhost and 127.0.0 etc.
                    I have flash mp3 player that can read directory of mp3 files but if anyone tries to access that location directly they get denied.

                    • 7. Re: Application Security - Protecting the files from direct access
                      csawall Level 1
                      Can you provide an example of what you're talking about? I guess the part that I'm not seeing how it would work is restricting the IP or only allowing Apache. When you launch the Flex app, the call to the swf files are from the client not the server. And all the subsequent calls for HTTPService requests to POST data to grab info from a PHP file is from the client, not the server. So the src IP will always change.

                      Am I missing something?

                      Again - Thanks to all who are responding and trying to help me solve this.