One thing I see a lot of, and it bugs me to no end is the way web applications store everything (class files, configs, passwords, templates, uploads, on and on…) in web space.
I consider this to be a serious security concern, we’ve all probably seen what happens when a web server gets mis-configured or when a file gets renamed to “super-private-data.php.BAK”, allowing a web browser to access the file. (or dump the source of it)
For the same reasons, I don’t like to rely on an .htaccess file if I can avoid it.
On my favorite platforms, we have home directories. You can look up the persons home directory using posix functions and store stuff much as any other unix application. ~user/foo, when this works, it works great, you can get their userid from the file owner.
Some lower quality ISP’s disable the posix functions, so I’ll use an environment variable (SetEnv in an .htaccess file)
However… I’ve found time and time again that people get confused by this. (especially with ftp clients that chroot into their home directories)
Seems people expect everything to be stored in web space, I’ve even watched (in horror) as people put “.htpasswd” files in web space.
As far as I’m concerned, the home directory /is/ the standard, but I don’t often hear people complain when it’s not supported, is there some new web 2.0 21st century standard being worked on?
Where do you store private data that shouldn’t be in web space?