Daniel,--On 29 June 2012 14:04:01 +0200 Daniel Merino <daniel.merino@xxxxxxxxxxx> wrote:
You have talked about perl and mod_perl. I understand that you can override htaccess to use a self-made bit of Perl code that process it and check the token. Is this right?
You don't need to override htaccess. Here's a piece of perl found through a random google search to send a file: http://rasterweb.net/raster/code/sendfile.html You'll need to change the header as appropriate. Drop that in as a CGI script (there are a million examples of perl CGI howtos). It would be more efficient if it used sendfile. All you need to do is modify that perl CGI script to check the GET parameters. My idea was simply to use parameters for your video name, the time, the user, and perhaps a random nonce, and also pass a hash of those. So, CGI document is here: http://perldoc.perl.org/CGI.html and you might want to do something like (completely untested): use CGI; use Digest::SHA qw(sha256_base64 sha256); my $secret = '[perhaps read this from a file]'; my $video = CGI::url_param('video'); my $user = CGI::url_param('user'); my $time = CGI::url_param('time'); my $nonce = CGI::url_param('nonce'); my $hash = CGI::url_param('hash'); # Sanitize all the above with regexps, i.e. check defined, non-empty my $checkhash = sha256_base64($video."\n".$user."\n".$time."\n". $nonce."\n".$secret); Send404 unless ($checkhash eq $hash); my $checktime = time(); # Exit unless less than 10 seconds out Send404 unless (abs($checktime - $time) < 10); ... # send the file here When generating the link, you will have to generate the hash in the same way, and of course a random nonce value. So anyone can access your CGI program without any protection. However, they will have to have an appropriate token (being the hash file) to actually get the video. This has the advantage that if you want to put your video file servers on EC2 or whatever, or just multiple servers that aren't your drupal box, it's trivial to do. -- Alex Bligh --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx