Firstly, my apologies for such a long post, and apologies again if I'm posting in the wrong area. It's a fairly complex problem and it's hard to describe exactly what I'm trying to achieve here.
I am writing a new web application which consists of a single home page with a login box and then an ExtJS-driven management interface connected to a Perl back end.
My site will consist of some generic, publicly available files such as the index.html, the home page stylesheet and the ExtJS library.
The management area of my site will then contain other files which I want to make available only to authenticated users. So, for example, the JS file for instantiating all the ExtJS objects to build my management interface, the JS files containing all of my front end application login, the management interface's stylesheet, etc.
I want users to come to my site, view the home page (built using only the publicly available files) and the login form, submit the login form to my Perl login script where I will create them a Perl::CGI session and return a cookie with the session ID, and then be redirected to the management area. The management area then constructs the ExtJS interface and makes calls to back end Perl scripts to retrieve its dynamic content.
The management interface may contain an HTML <link> tag to pull in manager.css, for example, in order to style the management interface. Once the user is logged in and viewing the management interface, I want their browser to be able to pull in the stylesheet and format the page. However, I don't want another unauthenticated user to be able to request the stylesheet directly (e.g. by entering http://www.mysite.com/css/manager.css into their browser's address bar).
So, my questions are:
- Where do I place my public and protected files?
- When a client requests one of my resources (e.g. manager.css), how do I direct them through my authentication script before returning the resource?
I thought I could structure my files a little like this:
/cgi-bin - login.pl - get_resource.pl /public_html - index.html /css - home_page.css /protected_resources /css - manager.css /script - management_interface.js
The files that I want to be available only to authenticated users are outside of the public_html directory so nobody can just browse to them. In order to access a resource, you have to call /cgi-bin/get_resource.pl?filename=manager.css or similar. get_resource.pl does an authentication check and then decides if it should return the resource from /protected_resources or not.
In my management interface, instead of something like the following:
<head> ... <link href="/css/manager.css" rel="stylesheet" type="text/css"> ... </head>
I'll have something like this:
<head> ... <link href="/cgi-bin/get_resource.pl?filename=manager.css" rel="stylesheet" type="text/css"> ... </head>
Any thoughts, opinions, pointers to web resources, etc. would be greatly appreciated!