|
Deron Meranda
deron.meranda at gmail.com
Fri Jun 9 10:22:17 EDT 2006
On 6/9/06, Rui Miguel Justino <rmcjustino at gmail.com> wrote: > Is it possible to differentiate between a request to a file of type > (pdf,png, etc) made by a psp page and a direct request made by a user who is > trying to access directly to this files? > > Sorry if it is confuse. The purpose here is to only give access to files > for users who have authenticate to the application, but Even those users > will only have access to files that show up in the application(webpage). And > if those users are trying to guess file names they ill not have access to > the files. As Nicolas said, usually the Referer header is used as a simple check. That can even be done using just Apache directives with no mod_python work if you want. However, if you're willing to put in more work and you don't want to actually use authentication, you can make use of dynamically generated hard-to-guess URLs for your images. Essentially when you output the HTML page which contains the <img> link (or other linking element) you generate URLs with lots of random characters. Then either record those URLs in a database of sorts, or perhaps encrypt or sign them (the standard Python 'hmac' module may be useful). And finally have a mod_python handler accept all those URLs and serve the file contents only if the URL verification works. Eventually you remove the valid URLs from your database (or they expire if you recorded a date in them before HMAC signing). There's lots of details I left out, but it should give you the idea. -- Deron Meranda
|