[Zope] Re: Application Design and Photos

[Gregor Melhorn]

Hello zope-users,

thank you very much for your suggestions!

I thought about it for a while, and the following solution came to my mind
:-)

First: Speed is critical to the site, since there may be several thousand
users online at the same time. 

What about using the extImage Product, letting apache serve the content from
an external image repository? So Zope only serves image urls. This should be
way faster than letting serve Zope the images all by itself. For security, I
thought of creating a separate directory for each user containing the user's
photos. Directorys are configured to not be listable by anonymous users via
apache. Every filename is a random string with at least 30 characters, so
guessing the files should be impossible. 

For added security: I don't know if there is some kind of apache rule that
allows locking out ips that tried to guess files, therefore generating a lot
of 404s. 

Security could further be improved by checking the referrer in the rewrite
rule, which is used by extImage. Also it would be possible to set a cookie
at the gallery page, and checking the cookie in a rewrite rule. This would
prevent authenticated users from linking directly to the images (and
therefore allowing unauthorized access). Not 100% secure, but should be
difficult for everyone that doesn't know how to fake a cookie and modify his
referrer = the average user).

What do you think about that solution?

Thanks for your help!!!

Gregor

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20041105/85993a2c/attachment.htm