list at joreybump.com
Fri Jun 9 11:04:38 EDT 2006
To expand on Deron's advice: You can store your download files outside of the DocumentRoot, and create symlinks or obfuscated URLs in a location accessible within your site. If you create an md5sum based on connection information, you can use that as part of the URL for the file download. I'd lean towards managing this in a handler, as Deron suggested, but if that's beyond you, the symlink approach is relatively simple and it would be nearly impossible to guess the URL. If the download location is in the same authentication realm as the PSP page, you would also have that as an additional protection. Deron Meranda wrote: > On 6/9/06, Rui Miguel Justino <rmcjustino at gmail.com> wrote: >> Is it possible to differentiate between a request to a file of type >> (pdf,png, etc) made by a psp page and a direct request made by a user >> who is >> trying to access directly to this files? >> >> Sorry if it is confuse. The purpose here is to only give access to files >> for users who have authenticate to the application, but Even those users >> will only have access to files that show up in the >> application(webpage). And >> if those users are trying to guess file names they ill not have access to >> the files. > > As Nicolas said, usually the Referer header is used as a simple check. > That can even be done using just Apache directives with no mod_python > work if you want. > > However, if you're willing to put in more work and you don't want > to actually use authentication, you can make use of dynamically > generated hard-to-guess URLs for your images. > > Essentially when you output the HTML page which contains the > <img> link (or other linking element) you generate URLs with > lots of random characters. Then either record those URLs in > a database of sorts, or perhaps encrypt or sign them (the standard > Python 'hmac' module may be useful). And finally have a mod_python > handler accept all those URLs and serve the file contents only if > the URL verification works. Eventually you remove the valid > URLs from your database (or they expire if you recorded a > date in them before HMAC signing). > > There's lots of details I left out, but it should give you the idea.