[mod_python] differentiate from where comes the request to a file

Mike Looijmans nlv11281 at natlab.research.philips.com
Mon Jun 12 02:51:57 EDT 2006

Implementing an authentication handler is not so hard. You could also 
use a random(ish) cookie for authentication (only supply the file when 
the user has a cookie from an earlier request).

Another option is to embed that cookie in the file path, e.g. you make 
links like:
A python handler verifies the weird 'SGTY134S45SFT' part of the request 
and uses the sendfile function if that checks out ok. Tip: Make sure 
that the generation creates the same code the next time the same user 
requests the same file (e.g. MD5 of soem secret, filename, IP address 
and user name).  This makes it possible for him to still cache the result.

On intranet networks, using something like SPNEGO for authentication is 
very user friendly as your users need only login to a Windows or Linux 
machine once, and need not type passwords or anything to authenticate 
(when using IE or Firefox). The administrative part is a pain to setup, 
but fortunately, that is a task system management must do and not the 
web master... It makes authentication as simple as just reading the 
req.user string value.

Mike Looijmans
Philips Natlab / Topic Automation

Rui Miguel Justino wrote:
> Hello,
> Thanks for the quick replies.I have been on this subject for the last 
> couple of days, and did not find a good answer to this. My project will 
> be in top of a python platform so is good to hear the opinion of people 
> who also understand the basics(apache).
> I'm looking for some type of solution that is secure and easy to 
> implement and don't bring a bigger cost to the rest of the application. 
> I will look with more attention to the directions you both have pointed 
> out, I will definitively have to use authentication and then i can 
> probably control the access to files with Referer Header. I will study 
> the viability of it.
> On 6/9/06, *Deron Meranda* <deron.meranda at gmail.com 
> <mailto:deron.meranda at gmail.com>> wrote:
>     On 6/9/06, Rui Miguel Justino <rmcjustino at gmail.com
>     <mailto:rmcjustino at gmail.com>> wrote:
>      > Is it possible to differentiate between a request to a file of type
>      > (pdf,png, etc) made by a psp page and a direct request made by a
>     user who is
>      > trying to access directly to this files?
>      >
>      > Sorry  if it is confuse. The purpose here is to only give access
>     to files
>      > for users who have authenticate to the application, but Even
>     those users
>      > will only have access to files that show up in the
>     application(webpage). And
>      > if those users are trying to guess file names they ill not have
>     access to
>      > the files.
>     As Nicolas said, usually the Referer header is used as a simple check.
>     That can even be done using just Apache directives with no mod_python
>     work if you want.
>     However, if you're willing to put in more work and you don't want
>     to actually use authentication, you can make use of dynamically
>     generated hard-to-guess URLs for your images.
>     Essentially when you output the HTML page which contains the
>     <img> link (or other linking element) you generate URLs with
>     lots of random characters.  Then either record those URLs in
>     a database of sorts, or perhaps encrypt or sign them (the standard
>     Python 'hmac' module may be useful).  And finally have a mod_python
>     handler accept all those URLs and serve the file contents only if
>     the URL verification works.  Eventually you remove the valid
>     URLs from your database (or they expire if you recorded a
>     date in them before HMAC signing).
>     There's lots of details I left out, but it should give you the idea.
>     --
>     Deron Meranda
> ------------------------------------------------------------------------
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python

More information about the Mod_python mailing list