httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Bligh <a...@alex.org.uk>
Subject Re: [users@httpd] Secure htaccess in a non-SSL Apache (and withoutDigest...)
Date Fri, 29 Jun 2012 09:13:18 GMT
Daniel,

--On 29 June 2012 10:38:24 +0200 Daniel Merino <daniel.merino@unavarra.es> 
wrote:

> I'm not sure to understand at all this approach, but anyway, I think that
> will not be valid for us.
>
> Drupal's restricted access to the video works fine, but in the moment
> that some authorized user can see the video, he can see the video's URL
> in the page or in the embed code that we publish for every video.
>
> So if that user pastes the URL in the browser, he has direct access to
> the video. Drupal doesn't notice this access and is Apache who must
> handle it.
>
> And Apache's protection is sent in plain text unless we serve the video
> over SSL.

The answer here really is 'well don't do that then'. Quite apart from
anything else, do you really want credentials (even with digest auth) going
over http at all?

Rather than use http authentication to mediate access to the video, use a
token (that can be in the GET URL, in a cookie, whatever) to prove that the
user is authorised to serve that video, and get Drupal / whatever to check
it. Ensure that access via the 'URL' (meaning the URL without the token)
just does not work. If your token is (e.g.) 256 bits, and linked in the
manner I described to a particular user, video, and time period, then
(a) if it is intercepted, the worst that can happen is someone gets access
to one video for 10 second interval, and (b) no user credentials are passed
in the plain - you can even hide the username. Guessing 256 bit numbers
is not easy.

(re my previous reply, you might want to hash the video name too in
case that was not obvious)

I'm not familiar with Drupal but I am with Wordpress, and you'd just
write a bit of php to do it. If what you are saying is that Apache is just
serving a file, 5 lines of perl and mod_perl can check a GET URL in the
manner I suggested.

If you really want to use custom authentication, you can do that either by
writing your own authentication module (which I've done several times in C)
or use mod_auth_external or similar. However, be warned: you may find the
storage format used is fundamentally incompatible (at an algorithm level
rather than a code level) with digest authentication. You might find it
easier to switch Drupal to using digest authentication too. I have no idea
whether that is possible.

-- 
Alex Bligh

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message