[UPHPU] restricting access to assets on a public server

Wade Preston Shearer wadeshearer.lists at me.com
Sat Apr 9 14:56:02 MDT 2011

On 9 Apr 2011, at 12:58, thebigdog wrote:

>> Server A hosts a page with a link for downloading a file from server B. The
>> link isn't to the actual file, but rather to a script on server A with the
>> path to the file on server B. When the link is clicked, the script
>> communicates with server B and asks it to generate a unique, single-use,
>> expiring token. The token is stored on server B and then returned. The script
>> on server A then does a header redirect to a script on server B, passing the
>> token as a query parameter. The script on server B checks to see if the token
>> is valid and is not older than one minute. If this is true, it reads the file
>> from the file system (outside of webroot) and initiates the headers to stream
>> it down to the browser (download). Once it's done, the script deletes the
>> token.
>> What do you think?
> what happens when you have a request for the resource more than once or the user refreshes the page a couple times and gets different tokens?

The token would be generated when the link it clicked, not when the page is loaded, so refreshing the page wouldn't have any effect. The token is also unique to the request, so, if two people happen to be browsing the same page and click the same link to download the same file, they will receive different tokens and both will work.

> is the authentication/authorization on server A? If so, then why the token for server B?

Depends on what authorization you're asking about. Server A is a website that users may or may not have to log into. Server B is an asset server. There are no browsable pages on Server B. Requesting files in web root on Server B works normally…


Requesting files outside of web root require a token…


A link on a page on Server A for a file outside of web root on Server B doesn't look like this…

<a href="http://serverB.com/serve.php?file=special.pdf&token=dek2j32k4289">Special.pdf</a>

…it looks like this…

<a href="request.php?file=special.pdf">Special.pdf</a>

The script request.php sends the filename "special.pdf" to Server B. Server B generates a token that only works for that filename and can only be used once and only within the next thirty seconds, and stores it on the server somewhere. The script (on server A) then redirects to this URL:


I would love a solution that doesn't require the token. I need people to not be able to do this…


…though without being authenticated (logged in) on Server A.

More information about the UPHPU mailing list