rewrite based on file ext to cgi script pre auth

Forum Moderators: phranque

Message Too Old, No Replies

rewrite based on file ext to cgi script pre auth

is it possible?

pjfvenice

6:16 am on Sep 27, 2005 (gmt 0)

Does that subject even make sense?

Any user that requests a *.mp3 file will be redirected to a cgi script that will authenticate and set a cookie.
The rewrite rule will not match once the cookie is set and the user will be able to d/l the file.

I'm at a loss to if this is even possible
Is mod_rewrite the appropriate place to implement this?
..

Thanks all in advance

jdMorgan

2:00 pm on Sep 27, 2005 (gmt 0)

pjfvenice,

Welcome to WebmasterWorld!

You might want to investigate the use of the %{HTTP_COOKIE} varible, tested by mod_rewrite's RewriteCond [httpd.apache.org] directive.

The other alternative is to place both the authorization and file-serving functions within the script, and use the scripting langiage's "file include" function to actually serve the mp3 file contents if the cookie exists and has the correct content. This script-based method has the advantage of allowing the use of complex and hard-to-spoof cookies, as compared to mod_rewrite's limited cookie-checking support.

Jim

pjfvenice

5:39 pm on Sep 28, 2005 (gmt 0)

Thanks Jim.

You are right - it is more efficient to place both authorization and file-serving functionally in the script - rather then relying on mod_rewrite, it looks like we've got that implemented.

I'm trying to now figure out what would be the best way to keep people from downloading the files directly - I.E. what rewrite rule to make sure they go through login.cgi? Or what criteria I should be trying to match.

The problem is all of the content is web accessible - and I can't move it, so I need to make sure that only login.cgi is calling the content.

I know this can be done with mod_rewrite but I'm not sure how to start the rule.

Thanks again if you can help.

jdMorgan

6:11 pm on Sep 28, 2005 (gmt 0)

The options are to move the protected content outside the HTTP-accessible directory tree, or to control HTTP access to those files based on URL, directory, filename, filetype, or any other information sent by the client (browser).

So, a basic RewriteRule for use in .htaccess might look like:


RewriteRule ([^.]+\.mp3)$ /mp3_serving_script.cgi?file=$1 [L]

The result of this is that any request for <anything>.mp3 is passed to mp3_serving_script.cgi with a query string of "file=<anything>.mp3".

The mp3-serving script then checks for the cookie set by login.cgi and, if present and valid, reads the content of the mp3 file passed in the query string and outputs it to the client.

Note that the script and filenames used above are examples. There is no reason why you couldn't add logic to login.cgi itself to handle these file-serving requests.

There are hundreds of ways to do this. It's actually harder to pick a method that will work for you over the long term and accomodate growth or change than it is to implement the method once you've chosen it.

Jim