Login Based File Download

Keary Suska aksuska at webflyer.com
Thu Nov 22 01:09:53 CST 2001


The hard way--make an Apache Perl module ;-)

The easy way--have a cgi generate the file listings instead of using
indexing. You could use path_info instead of query_string to make the
process appear "normal" to any user. Thus, when a file URL is clicked on,
the cgi is invoked which can check authentication (which would have to be
stateful, of course). A 403 forbidden page can be sent if auth fails. You
don't need to send a real 403 status, just the appropriate HTML. The user
won't likely know the difference. This method is also extensible since you
can show/hide files based on users and groups if you like.

Keary Suska
Esoteritech, Inc.
"Leveraging Open Source for a better Internet"

> From: "Matthew J. Long" <matt.long at matthew-long.com>
> Date: Wed, 21 Nov 2001 23:09:48 -0700
> To: "Pikes-Peak Perl Mongers" <pikes-peak-pm-list at happyfunball.pm.org>
> Subject: Login Based File Download
> 
> I'm sure there's more than one way to do it  ;-)  , but I was wondering what
> you all think is the best approach for enabling authorized users to download
> files while keeping everyone else out--without using .htaccess. I want to
> validate the user and then generate the screens they need dynamically. There
> will be a screen on which the user is allowed to download files. If the
> directory containing the files is publicly accessible for authorized users,
> how can I keep unauthorized users out.
> 
> Also, if your answer is, just send the proper file header back to the user
> and then stream the file back (I could just open the file from behind the
> web tree to keep it hidden this way--I think) using a CGI. Does anyone know
> of a good way to do this, or more specifically how to do it at all?
> 
> Thanks in advance for your help.
> 
> -Matt
> 
> 




More information about the Pikes-peak-pm mailing list