httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From MegaBrutal <>
Subject Re: [users@httpd] Custom authentication?
Date Tue, 04 Jan 2011 12:05:49 GMT
Sorry if I'm wrong. If the user is redirected from a different
location, is it possible that checking the HTTP Referrer might do the
work? Assume, the other server has already authenticated the user, so
you don't need to authenticate him again; you just grant access to the
file if its referrer matches with the page that is expected to
redirect the user to your site. The obvious problem with this,
however, that it causes loose security. Anyone who knows the address
of the page that's expected to redirect the user after the
authentication, may generate a custom HTTP request that fakes a
referrer header, bypassing the authentication. I think you may still
verify the authenticity of the user by query parameters, and only by
such parameters, forgetting the HTTP authentication completely. Yes,
in that case, Range requests might get trickier; though I guess,
fetching and interpreting the "Range" header, and performing a seek on
the file shouldn't make your script much more complicated.

2011/1/4 Oliver Beattie <>:
> Actually, that won't work… we need to be able to support clients that do not
> support cookies (APT)
> —Oliver
> On 4 January 2011 11:30, Oliver Beattie <> wrote:
>> Thanks for your quick reply… unfortunately I can't set a cookie. Another
>> machine (different domain) is redirecting the user to this server (auth
>> happens on that server) and this server is in effect acting as (one of
>> several identically-configured) mirrors. However, it may be possible to
>> redirect them to a location on the mirror that sets the cookie?
>> —Oliver
>> On 4 January 2011 11:28, Mark Watts <> wrote:
>>> Hash: SHA1
>>> On 01/04/2011 11:19 AM, Oliver Beattie wrote:
>>> > Hi there,
>>> >
>>> > I am sure this question has likely been asked many times before, I'm
>>> > just having a bit of a hard time finding answers.
>>> >
>>> > Basically, I need to be able to authenticate downloads based on a URL
>>> > signature if present (passed as a query parameter), instead of via
>>> > Basic
>>> > authentication (I need to support both of these, but bypass the basic
>>> > auth if no signature is present). It isn't a requirement that they live
>>> > at the same path, so they can be at different virtual hosts/directories
>>> > if necessary.
>>> >
>>> > At first, I thought the best way to do this would be just through a
>>> > simple CGI/WSGI/whatever, but the files I am authenticating access to
>>> > are very large (many GB) and I fear there may be a performance
>>> > implication of doing this (and things like Range requests won't be
>>> > possible without extra work).
>>> >
>>> > Has anyone had any experience with this? What is the best way to
>>> > proceed? Any help anyone could give would be very much appreciated :)
>>> >
>>> > —Oliver
>>> After authentication, set a cookie with a sensible lifetime (~1 day).
>>> If the cookie is set and valid allow the download, otherwise redirect to
>>> the login page.
>>> Mark.
>>> - --
>>> Mark Watts BSc RHCE
>>> Senior Systems Engineer, MSS Secure Managed Hosting
>>> QinetiQ - Delivering customer-focused solutions
>>> GPG Key:
>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>> Comment: Using GnuPG with Fedora -
>>> 23kAn0eWbv+M4Z9vpWWo9yD8TeJl5aiI
>>> =sGQx
>>> -----END PGP SIGNATURE-----

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message