[mod_python] differentiate from where comes the request to a file

Deron Meranda deron.meranda at gmail.com
Fri Jun 9 10:22:17 EDT 2006


On 6/9/06, Rui Miguel Justino <rmcjustino at gmail.com> wrote:
> Is it possible to differentiate between a request to a file of type
> (pdf,png, etc) made by a psp page and a direct request made by a user who is
> trying to access directly to this files?
>
> Sorry  if it is confuse. The purpose here is to only give access to files
> for users who have authenticate to the application, but Even those users
> will only have access to files that show up in the application(webpage). And
> if those users are trying to guess file names they ill not have access to
> the files.

As Nicolas said, usually the Referer header is used as a simple check.
That can even be done using just Apache directives with no mod_python
work if you want.

However, if you're willing to put in more work and you don't want
to actually use authentication, you can make use of dynamically
generated hard-to-guess URLs for your images.

Essentially when you output the HTML page which contains the
<img> link (or other linking element) you generate URLs with
lots of random characters.  Then either record those URLs in
a database of sorts, or perhaps encrypt or sign them (the standard
Python 'hmac' module may be useful).  And finally have a mod_python
handler accept all those URLs and serve the file contents only if
the URL verification works.  Eventually you remove the valid
URLs from your database (or they expire if you recorded a
date in them before HMAC signing).

There's lots of details I left out, but it should give you the idea.
-- 
Deron Meranda


More information about the Mod_python mailing list