> I probably should have said this in > the first place, most of these PDFs are hidden behind a > login*, while a few of them are even paid-for. (And to make > it even more complicated, PDFs become free after a while, > while their location stays the same.) Apache knows -via a > whole bunch of mod_perl modules- whether the user is logged > in and, if they are, whether they have paid us money, so I > think moving the PDFs to a different sever -whether on the > same machine or not- it would over-complicate things. And, in > particular, wouldn't be the quick solution I'm looking for. A simple method I've used in the past to solve cross-domain authenticated download problems like this: 1. Server A authenticates the user and generates a redirect to http://contentserver/file.pdf?t=XXXXXXX&a=ZZZZZZZZ where T = the unix timestamp and a = sha1(filepath + T, mysecretvalue) 2. Server B checks that the timestamp t is sufficiently recent and that the hash value is correct, and if so, delivers the file. Amazon S3 by the way has similar logic built into it, so it can act as Server B in this scenario. See "Query String Request Authentication Alternative" at http://docs.amazonwebservices.com/AmazonS3/2006-03-01/RESTAuthentication.htm l --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|