httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Bligh <a...@alex.org.uk>
Subject Re: [users@httpd] Secure htaccess in a non-SSL Apache (and without Digest...)
Date Fri, 29 Jun 2012 08:18:13 GMT


--On 29 June 2012 10:06:04 +0200 Daniel Merino <daniel.merino@unavarra.es> 
wrote:

> However, with some specially sensible videos we also have an extra
> protection. We set an htaccess with mod_authn_dbd linked with Drupal
> database, so direct access to these resources URLs is protected with the
> same user & password used in Drupal.

I suggest you don't do that then.

How about getting your http Drupal installation to send out an http URL to
the video which contains e.g. the username, a time, and a hash of both with
a secret.

Then, in the bit serving the videos, check that the hash is valid, and the
time is within (say) 5 seconds of the current time (which will prevent
reuse and token sharing), and just stream with no further authentication.

-- 
Alex Bligh

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message