httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Meadors <clubn...@hereintown.net>
Subject Re: [users@httpd] Q: pw protect folder, no users, just pw
Date Thu, 30 Jan 2003 04:19:23 GMT
Jeff Cohen wrote:
> There's nothing you can do about it, that's the nature of authentication,
> when another interface (in your case winamp) is accessing the server, the
> server "thinks" that it's another client trying to connect.

That's not exactly the case.  The server doesn't remember who is logged 
in.  The web browser is actually doing the remembering.  After it is 
required to send an auth for a directory once it just continues to send 
it with every request after that.  So when a URL is passed to Winamp, it 
doesn't know it has to be logged in.

> I guess somebody here might know of a good solution using the POST, GET and
> other methods of the HTTP protocol that might help you to define the
> requested action to be taken in some files.
> As far as my knowledge, I know that if you will allow some file types and
> you will try to reach them by their full path
> (www.domain1.com/protected_dir/song.mp3) then the file will be accessed
> without any request by the server to authenticate.

I can think of 3 work arounds, none of them perfect.

First on the page served from the directory, place a note that says, "If 
you click on the files here it may launch an external program that will 
prompt you again for the password.  To avoid this, right click and 
choose Save As... to save the file to your hard disk for later use." 
This has the added benefit that it may save you bandwidth as the user 
won't have to come back to your server if they want to use the file again.

Second, you could have the HTML link to files outside of the password 
protected directory.  So you need the password to get the listing of the 
files, but once you have it you can retrieve them just by knowing the 
URL.  You could make the links like href="..8BCdQPZEI0/file" to a 
directory with a pretty random name so no one would guess it.  I would 
also turn off directory listings (or put a 0 byte index.html file in it) 
to keep people from finding more files than they should know about.  You 
might also want to go one step farther and put each file (or group of 
files) in a separate directory, so people couldn't just guess file names 
after they know one (like in the future if you make more releases and 
some people no longer have access).  One more method that is a little 
more dynamic, would be to put all the file in one randomly named 
directory, but change its name every-so-often.  That would require that 
you change all the links in the HTML though, but if the file is 
generated that wouldn't be hard at all.

Lastly, you could try making all the links absolute and include the 
username and password in them.  You would no long be able to link to 
just file names like:  href="file", you'd have to specify the entire 
path in each link like:  href="username:password@host/directory/file" (I 
was trying to test to see if you could use relative links with a U&P, 
but it doesn't seem to work all that well.)  I think most programs know 
what to do when passed a link in that form, they will then log in using 
the username and password given.  I could see how the form 
href=":password@host" may confuse something, but seems to work with the 
2 programs I tried.

-- 
Chris


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message