httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Bligh <>
Subject Re: [users@httpd] Secure htaccess in a non-SSL Apache (and without Digest...)
Date Fri, 29 Jun 2012 08:18:13 GMT

--On 29 June 2012 10:06:04 +0200 Daniel Merino <> 

> However, with some specially sensible videos we also have an extra
> protection. We set an htaccess with mod_authn_dbd linked with Drupal
> database, so direct access to these resources URLs is protected with the
> same user & password used in Drupal.

I suggest you don't do that then.

How about getting your http Drupal installation to send out an http URL to
the video which contains e.g. the username, a time, and a hash of both with
a secret.

Then, in the bit serving the videos, check that the hash is valid, and the
time is within (say) 5 seconds of the current time (which will prevent
reuse and token sharing), and just stream with no further authentication.

Alex Bligh

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message