0

I'm developing a website to show some information in it. this information include some images for some specific users. I used the img tag in html code to show the images. like this:

<img src="./Devices/100000000000005/GraphReports/Last24Hours.jpg" >

but the problem is that when the user change the 100000000000005 number to another like 100000000000006 in page source view, he would be able to see the information that doesn't belong to him. How could I prevent this ?

milad mohtashami
  • 31
  • 2
  • Are you creating automatic report generated as images? Can you not restrict access to any folder in `/devices/{userEncodedId}/*` ?What API are you using?And if it is really specific to that user, does it change?Generated daily things? – Dinca Adrian Oct 24 '17 at 06:16
  • 1-yes, I'm generating a lot of images and files for each device in separate folders, numbered with the device number. 2- these folder are organized according to Devices, because every device might be used for different user. 3- I dont know what API is.I'm using php and mysql to generate html codes and a C++ app to update device's folders and mysql. – milad mohtashami Oct 26 '17 at 05:47
  • Do you have a table where you store access rights? (meaning that you know that x user has access to a, b, c device resources). Since you are using php you can also have a look on https://stackoverflow.com/questions/2187200/using-php-apache-to-restrict-access-to-static-files-html-css-img-etc . By doing as presented in that answer you will avoid exposing a device/user id and avoid the problem when user can easily know what to change to see other users resources. – Dinca Adrian Oct 26 '17 at 08:56

0 Answers0