In other words, if my webpages are in ~/public_html, and my CGI scripts are in ~/public_html/cgi-bin, I could put my content files that I want to "hide" into ~/content (ie, not within the area that is within the document path available to the HTTP server).

Then you would write a small set of CGI scripts that simply do the work of authenticating individuals and grabbing data from the files in ~/content.

Your server should be configured such that ~/content isn't available by direct HTTP request, but from within your scripts, it may be made available; the scripts may get at your content path.

Update: Another idea would be to put your content into a database that itself requires password access. The scripts would have access, but outsiders would have no way of directly getting at the DB's contents.

...just a thought.

You simply put foo.txt outside your server's document path and modify the Perl code to read it there instead of wherever you have it now. A Perl CGI can read any file on the system it has permission to read.

That would still allow people to view the contents through the "direct URL" (using the script) eg, http://www.mysite.com/?file=foo.txt, but maybe I don't understand the question right.

--
b10m

All code is usually tested, but rarely trusted.

I think the key line is: How can I allow access to content via a script, but dissallow it via a direct URL?

So accessing via the cgi is what he wants, just not accessing the file directly. The simple solution is to put the file(s) in a directory that is accessible by the apache user (or cgi user) but not under the document root. The CGI would then be responsible for verifying the session/auth and presenting the file if it needs to, or the error page if the file access is not allowed.


-Waswas

My understanding is that the poster wants to allow a CGI to print out the file (presumably because the CGI handles password protections itself), but wants to make sure that the file isn't available without going through the CGI.

----
: () { :|:& };:

Note: All code is untested, unless otherwise stated

If you make the timestamp have a high resolution (like down to the second), then the server should check several possible seconds for a match, to take into account the possibility of the request taking time, or the two clocks not matching perfectly.

You might also want to use https for further privacy.

i've used the timestamp method along with some other features for safely storing and distributing pay-per-view video content. worked VERY well too!

If you are willing to feed the content dynamicaly through a CGI script, then the CGI script can check the cookie and push the file to the client. The content files don't need to be visible through the web server for this to work.

You can even make the URL look like a static file by using the path info after the URL to the script.

http://www.example.com/cgi-bin/content.cgi/foo.txt
[download]

$cgi->path_info eq '/foo.txt'
[download]

How can I allow access to content via a script, but dissallow it via a direct URL? The content needs to have permissions to allow access by Apache, but dissallow outside access at the same time.

To put it bluntly, you can't. There's always a way to script your way around these "safety measures". You could check for HTTP_REFERER, but that would mean that you block people who choose not to send such information to your server and it is easilly forged.

The best way to protect your data is keeping it offline.

Make the file readable only by another user then write a sudo rule that is accesed via your script.