On 9 Apr 2011, at 15:45, thebigdog wrote: > I would do it like this: > > 1. anything that is on serverB that needs authentication needs to go through > serverA > > 2. serverA will access a special url/directory structure on serverB that is > allowed access via ip or some other mechanism like a login or something > > 3. serverA thus becomes a proxy for your restricted content > > This would allow you to not have to worry about tokens or anything like that. > The auth would be handled between serverA and serverB for that specific > content. > Your normal content on serverB would be accessed without restrictions for that > public content. > > this means that requests like this > (http://serverB.com/download.php?file=special.pdf) need to come from serverA > only and no one else. > > You could even do that in the download.php file too.
Restricting access by IP would be a great option if it would be secure enough. I wouldn't even have to have the secure files outside of web root. I could simply use Apache to restrict access to a certain directory to a certain IP. I thought that HTTP_REFERRER wasn't reliable though. Isn't that easy to spoof? _______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
