Feature #1635
closedmod_secdownload instant expiration of URLs
Description
mod_secdownloads should have an option to enable instant expiration of URLs.
After a download is served, that download should instantly expire so it will not work again. The download URL should be instantly added to a blacklist.
To prevent an endless list of blacklists, the blacklisted URLs could be removed from memory once they have expired due to the secdownload.timeout setting.
-- Martyo
Updated by admin almost 17 years ago
mod_secdownloads should have an option to enable instant expiration of URLs.
Why?
Updated by Anonymous almost 17 years ago
it would support download managers/accelerators and be more secure
Updated by admin almost 17 years ago
Aren't download managers/accelerators already supported?
Updated by stbuehler almost 17 years ago
That doesn't make sense. How would instant expiration help downloadmanagers?
Updated by elpepe.uy over 16 years ago
stbuehler wrote:
That doesn't make sense. How would instant expiration help downloadmanagers?
That was exactly what i was looking for, something like one-time downloads.
For example if my script generates a md5 based link, i would like to deny other downloads from that link, also if the timeout period has not been expired.
The if the user publish the link, the first that click there should be the only one that make the download.
Updated by gstrauss over 8 years ago
- Description updated (diff)
- Status changed from New to Wontfix
To attempt to do this properly, some sort of persistent storage would be needed to keep track of used keys, e.g. across multiple lighttpd restarts, or across multiple lighttpd workers, or across multiple servers, ... Depending on your setup, the might mean a memcache or redis or backend database. Depending on your needs, this is better implemented in a FastCGI backend where the key generation is collocated with the code which stores keys, validates keys, and expires keys.
While this could be implemented in lighttpd for a very specific use case, better and more generic alternatives exist.
Updated by gstrauss over 1 year ago
- Status changed from Wontfix to Obsolete
- ASK QUESTIONS IN Forums set to No
mod_secdownload has been deprecated and removed.
It is implementable as a lua script in mod_magnet
See lua mod_secdownload
To implement a one-time-use link without a database, create a uniquely named symlink in the filesystem which points to the target file. Once accessed, remove the symlink. However, if the download fails, the symlink will already have been invalidated. If server.stream-response-body = 2 then a backend script serving the file would have a pretty good idea that the file was (almost) completely sent when it finishes sending the file to the socket to lighttpd, and the backend script could then remove the symlink.
Also available in: Atom