0

Hi everyone,

I am developing an e-Finance system which handles all the financial activities of the organisation i am working under. In developing such system, many security measures should be implemented. Hence, i am trying to use .htaccess in order to secure my filenames, file extensions, etc.

For the file extension i tried these Expression and worked for me.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]
</IfModule>

I want ask if there is any way to change the file names to random numbers to represent the file name and hold the number as a temporary session which will be change when the browser is closed and recreate a new one when reopened.

I haven't try anything, therefore searching for a clue to go on with it.

Sunusi Mohd Inuwa
  • 72
  • 2
  • 9
  • 1
    Why not just secure the system as a whole with HTTPS, a Role Based Access Control system and IP address access restrictions? What you're trying won't prevent access to the *actual* file by direct URL should anyone know/guess it. – CD001 May 31 '17 at 14:44
  • 1
    sounds like security by obscurity. *don't* rely on that! (https://stackoverflow.com/questions/533965/why-is-security-through-obscurity-a-bad-idea) to your question: i don't think the mod_rewrite can handle sessions. but if you redirect any request to your site to a php script, then the php script can read the session and determine what action was intended with the request. – Fabian May 31 '17 at 14:47
  • Are you trying to implement URLs that are only valid for the session (effectively single use)? Are users already authenticated at this point? – MrWhite May 31 '17 at 15:32
  • @CD001 I understand you clearly, and i have already installed SSL as for implementing the HTTPS you suggested, just wanting to make it hash enough by dynamically changing the filename to random number and removing the .php/.aspx/etc extension. – Sunusi Mohd Inuwa Jun 01 '17 at 12:35
  • @Fabian, Not necessarily handle the work of session but generate for me a random number or create a unique number at a time and the number should different from every other user's own. Something like that – Sunusi Mohd Inuwa Jun 01 '17 at 12:39
  • @user82217, you somehow got my point. Actually i want to encrypt my URLs with something different of the actual **file name** and should be distinctive to every user accessing the website. – Sunusi Mohd Inuwa Jun 01 '17 at 12:41

1 Answers1

0

You could make a filegetter.php file that receives an encrypted file name based on, for example, session id, ip, time... and makes an php include_once with the decrypted file name.

For the .htaccess you can do this

RewriteRule ^(\w+)(.php)$ filegetter.php?filekey=$1 [L]
driconmax
  • 956
  • 1
  • 18
  • 32