you want to generate a nonce (number used once), i have seen this behavior, i think devise uses a similar approach for token authentication, what you do is
you create a route that catches the token match "blah/:token" to create Token.create(:nonce=>Digest::MD5.hexdigest(rand(99999))) <=== you ca be more creative then def authorize beging @token = Token.find_by_nonce(params[:token]) session[:token]=@token @token.destroy return true rescue ActiveRecord::recordnotfound sesion[:token]= nil return false end end dont put the files in the public folder, apache serve the file from there not rails, anyone can get them by putting the right path on the url no matter if they are authenticated on the rails app or not, instead put the file where apache cant server them (anywhere inside the app folder but outside the public folder) and use send_file<http://apidock.com/rails/ActionController/Streaming/send_file> to send them to the user if the authorize action returns true. If you are deploying with capistrano done forget to send the file to the shared directory and create a symbolic link to the location where the file are suppose to be in the app. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.