Re: Secure htaccess in a non-SSL Apache (and withoutDigest...)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi, Alex, and thanks for that quick answer.

I'm not sure to understand at all this approach, but anyway, I think that will not be valid for us.

Drupal's restricted access to the video works fine, but in the moment that some authorized user can see the video, he can see the video's URL in the page or in the embed code that we publish for every video.

So if that user pastes the URL in the browser, he has direct access to the video. Drupal doesn't notice this access and is Apache who must handle it.

And Apache's protection is sent in plain text unless we serve the video over SSL.

Regards.

Alex Bligh escribió:


--On 29 June 2012 10:06:04 +0200 Daniel Merino <daniel.merino@xxxxxxxxxxx> wrote:

However, with some specially sensible videos we also have an extra
protection. We set an htaccess with mod_authn_dbd linked with Drupal
database, so direct access to these resources URLs is protected with the
same user & password used in Drupal.

I suggest you don't do that then.

How about getting your http Drupal installation to send out an http URL to the video which contains e.g. the username, a time, and a hash of both with
a secret.

Then, in the bit serving the videos, check that the hash is valid, and the
time is within (say) 5 seconds of the current time (which will prevent
reuse and token sharing), and just stream with no further authentication.


--
Daniel Merino Echeverría
daniel.merino@xxxxxxxxxxx
Gestor de teleformación - Centro Superior de Innovación Educativa.
Tfno: 948-168489 - Universidad Pública de Navarra.
--
Beneficiadme con vuestras convicciones, si es que las teneis; pero guardaros vuestras dudas, pues me bastan las mías. (Goethe)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux