Hi, Alex, and thanks for that quick answer.I'm not sure to understand at all this approach, but anyway, I think that will not be valid for us.
Drupal's restricted access to the video works fine, but in the moment that some authorized user can see the video, he can see the video's URL in the page or in the embed code that we publish for every video.
So if that user pastes the URL in the browser, he has direct access to the video. Drupal doesn't notice this access and is Apache who must handle it.
And Apache's protection is sent in plain text unless we serve the video over SSL.
Regards. Alex Bligh escribió:
--On 29 June 2012 10:06:04 +0200 Daniel Merino <daniel.merino@xxxxxxxxxxx> wrote:However, with some specially sensible videos we also have an extra protection. We set an htaccess with mod_authn_dbd linked with Drupal database, so direct access to these resources URLs is protected with the same user & password used in Drupal.I suggest you don't do that then.How about getting your http Drupal installation to send out an http URL to the video which contains e.g. the username, a time, and a hash of both witha secret.Then, in the bit serving the videos, check that the hash is valid, and thetime is within (say) 5 seconds of the current time (which will prevent reuse and token sharing), and just stream with no further authentication.
-- Daniel Merino Echeverría daniel.merino@xxxxxxxxxxx Gestor de teleformación - Centro Superior de Innovación Educativa. Tfno: 948-168489 - Universidad Pública de Navarra. --Beneficiadme con vuestras convicciones, si es que las teneis; pero guardaros vuestras dudas, pues me bastan las mías. (Goethe)
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx