l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
December 2: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2005 Mar 10 15:58

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Apache question: preventing direct access to files
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Apache question: preventing direct access to files



Richard S. Crawford wrote:

We've got some .pdf documents on our website that we'd rather people not
view by directly typing the URL into the browser; we want them to get
there via a link.

My boss is convinced that we can do this using the same tricks with the
.htaccess file that can be used to prevent images from being stolen. I'm
not entirely sure about that.

Isn't it exactly the same problem, though? In either case, you're trying to make sure that HTTP's Referer field is set.

#<FilesMatch "\.pdf$">
#SetEnvIf Referer "http://152.79.198.7"; local_referrer=1
#Order Allow, Deny
#Deny from all
#Allow from env=local_referrer
#</FilesMatch>

The above seems right. I don't know whether there are bugs in it, or what, but that's the idea.

'Course, nothing's gonna work if it's commented out ;-)

It's not foolproof: with wget, for example, you could forge a Referer field. But the chances of encountering that are pretty low; and anyway, there's not much you could do about it, short of actually authenticating the tokens.

Since you seem to be using ColdFusion (evidence has been snipped), you could probably write a short wrapper that will serve up the pdf file if the person "deserves" it; and remove the PDF files to outside of the web docs repository.

BTW, don't ColdFusion suck? :-)

-Micah

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.