[UPHPU] restricting access to assets on a public server

thebigdog bigdog at venticon.com
Sat Apr 9 12:58:44 MDT 2011

> Server A hosts a page with a link for downloading a file from server B. The
> link isn't to the actual file, but rather to a script on server A with the
> path to the file on server B. When the link is clicked, the script
> communicates with server B and asks it to generate a unique, single-use,
> expiring token. The token is stored on server B and then returned. The script
> on server A then does a header redirect to a script on server B, passing the
> token as a query parameter. The script on server B checks to see if the token
> is valid and is not older than one minute. If this is true, it reads the file
> from the file system (outside of webroot) and initiates the headers to stream
> it down to the browser (download). Once it's done, the script deletes the
> token.
> What do you think?

what happens when you have a request for the resource more than once or the user
refreshes the page a couple times and gets different tokens?

is the authentication/authorization on server A? If so, then why the token for
server B?


More information about the UPHPU mailing list