Daniel,--On 29 June 2012 10:38:24 +0200 Daniel Merino <daniel.merino@xxxxxxxxxxx> wrote:
I'm not sure to understand at all this approach, but anyway, I think that will not be valid for us. Drupal's restricted access to the video works fine, but in the moment that some authorized user can see the video, he can see the video's URL in the page or in the embed code that we publish for every video. So if that user pastes the URL in the browser, he has direct access to the video. Drupal doesn't notice this access and is Apache who must handle it. And Apache's protection is sent in plain text unless we serve the video over SSL.
The answer here really is 'well don't do that then'. Quite apart from anything else, do you really want credentials (even with digest auth) going over http at all? Rather than use http authentication to mediate access to the video, use a token (that can be in the GET URL, in a cookie, whatever) to prove that the user is authorised to serve that video, and get Drupal / whatever to check it. Ensure that access via the 'URL' (meaning the URL without the token) just does not work. If your token is (e.g.) 256 bits, and linked in the manner I described to a particular user, video, and time period, then (a) if it is intercepted, the worst that can happen is someone gets access to one video for 10 second interval, and (b) no user credentials are passed in the plain - you can even hide the username. Guessing 256 bit numbers is not easy. (re my previous reply, you might want to hash the video name too in case that was not obvious) I'm not familiar with Drupal but I am with Wordpress, and you'd just write a bit of php to do it. If what you are saying is that Apache is just serving a file, 5 lines of perl and mod_perl can check a GET URL in the manner I suggested. If you really want to use custom authentication, you can do that either by writing your own authentication module (which I've done several times in C) or use mod_auth_external or similar. However, be warned: you may find the storage format used is fundamentally incompatible (at an algorithm level rather than a code level) with digest authentication. You might find it easier to switch Drupal to using digest authentication too. I have no idea whether that is possible. -- Alex Bligh --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|