> Server A hosts a page with a link for downloading a file from server B. The > link isn't to the actual file, but rather to a script on server A with the > path to the file on server B. When the link is clicked, the script > communicates with server B and asks it to generate a unique, single-use, > expiring token. The token is stored on server B and then returned. The script > on server A then does a header redirect to a script on server B, passing the > token as a query parameter. The script on server B checks to see if the token > is valid and is not older than one minute. If this is true, it reads the file > from the file system (outside of webroot) and initiates the headers to stream > it down to the browser (download). Once it's done, the script deletes the > token. > > What do you think?
what happens when you have a request for the resource more than once or the user refreshes the page a couple times and gets different tokens? is the authentication/authorization on server A? If so, then why the token for server B? -- thebigdog _______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
