Hi, Alex, and thanks for that quick answer.
I'm not sure to understand at all this approach, but anyway, I think
that will not be valid for us.
Drupal's restricted access to the video works fine, but in the moment
that some authorized user can see the video, he can see the video's URL
in the page or in the embed code that we publish for every video.
So if that user pastes the URL in the browser, he has direct access to
the video. Drupal doesn't notice this access and is Apache who must
handle it.
And Apache's protection is sent in plain text unless we serve the video
over SSL.
Regards.
Alex Bligh escribió:
--On 29 June 2012 10:06:04 +0200 Daniel Merino
<daniel.mer...@unavarra.es> wrote:
However, with some specially sensible videos we also have an extra
protection. We set an htaccess with mod_authn_dbd linked with Drupal
database, so direct access to these resources URLs is protected with the
same user & password used in Drupal.
I suggest you don't do that then.
How about getting your http Drupal installation to send out an http
URL to
the video which contains e.g. the username, a time, and a hash of both
with
a secret.
Then, in the bit serving the videos, check that the hash is valid, and
the
time is within (say) 5 seconds of the current time (which will prevent
reuse and token sharing), and just stream with no further authentication.
--
Daniel Merino Echeverría
daniel.mer...@unavarra.es
Gestor de teleformación - Centro Superior de Innovación Educativa.
Tfno: 948-168489 - Universidad Pública de Navarra.
--
Beneficiadme con vuestras convicciones, si es que las teneis; pero
guardaros vuestras dudas, pues me bastan las mías. (Goethe)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
