Sorry if I'm wrong. If the user is redirected from a different location, is it possible that checking the HTTP Referrer might do the work? Assume, the other server has already authenticated the user, so you don't need to authenticate him again; you just grant access to the file if its referrer matches with the page that is expected to redirect the user to your site. The obvious problem with this, however, that it causes loose security. Anyone who knows the address of the page that's expected to redirect the user after the authentication, may generate a custom HTTP request that fakes a referrer header, bypassing the authentication. I think you may still verify the authenticity of the user by query parameters, and only by such parameters, forgetting the HTTP authentication completely. Yes, in that case, Range requests might get trickier; though I guess, fetching and interpreting the "Range" header, and performing a seek on the file shouldn't make your script much more complicated. 2011/1/4 Oliver Beattie <oliver@xxxxxxxxxxxx>: > Actually, that won't work… we need to be able to support clients that do not > support cookies (APT) > > —Oliver > > > On 4 January 2011 11:30, Oliver Beattie <oliver@xxxxxxxxxxxx> wrote: >> >> Thanks for your quick reply… unfortunately I can't set a cookie. Another >> machine (different domain) is redirecting the user to this server (auth >> happens on that server) and this server is in effect acting as (one of >> several identically-configured) mirrors. However, it may be possible to >> redirect them to a location on the mirror that sets the cookie? >> >> —Oliver >> >> >> On 4 January 2011 11:28, Mark Watts <m.watts@xxxxxxxxxxxxxxxx> wrote: >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 01/04/2011 11:19 AM, Oliver Beattie wrote: >>> > Hi there, >>> > >>> > I am sure this question has likely been asked many times before, I'm >>> > just having a bit of a hard time finding answers. >>> > >>> > Basically, I need to be able to authenticate downloads based on a URL >>> > signature if present (passed as a query parameter), instead of via >>> > Basic >>> > authentication (I need to support both of these, but bypass the basic >>> > auth if no signature is present). It isn't a requirement that they live >>> > at the same path, so they can be at different virtual hosts/directories >>> > if necessary. >>> > >>> > At first, I thought the best way to do this would be just through a >>> > simple CGI/WSGI/whatever, but the files I am authenticating access to >>> > are very large (many GB) and I fear there may be a performance >>> > implication of doing this (and things like Range requests won't be >>> > possible without extra work). >>> > >>> > Has anyone had any experience with this? What is the best way to >>> > proceed? Any help anyone could give would be very much appreciated :) >>> > >>> > —Oliver >>> >>> After authentication, set a cookie with a sensible lifetime (~1 day). >>> If the cookie is set and valid allow the download, otherwise redirect to >>> the login page. >>> >>> Mark. >>> >>> - -- >>> Mark Watts BSc RHCE >>> Senior Systems Engineer, MSS Secure Managed Hosting >>> www.QinetiQ.com >>> QinetiQ - Delivering customer-focused solutions >>> GPG Key: http://www.linux-corner.info/mwatts.gpg >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.11 (GNU/Linux) >>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ >>> >>> iEYEARECAAYFAk0jBFUACgkQBn4EFUVUIO2+lACg25ZDyyLlcM5B6KYU+zB5k/6d >>> 23kAn0eWbv+M4Z9vpWWo9yD8TeJl5aiI >>> =sGQx >>> -----END PGP SIGNATURE----- >> > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|