Secure static media access in a Django site

Question

I'm building a site where registered users can upload files. Those files are then served via Apache. Only users who are logged in should be able to access those files.

I have read this page but it seems that people would have to log in twice to access both the site and the media, each time using a different type of login box.

Is there a way around this or is there some other way to limit access to static media served by Apache using the Django authentication database?

I'm using mod_python.

EDIT: How I ended up solving this after reading Van Gale's answer and this:

1. Switched to WSGI.
2. Installed mod_xsendfile
3. Moved all public media files into a subfolder in /media/public
4. Added access to the public folder using an Alias /media/public /var/www.../media/public
5. Added WSGIScriptAlias /media/protected/ /var/www.../apache/django.wsgi (same handler as for the rest of the site)
6. Added XSendFile On and XSendFileAllowAbove On
7. To the Django app I added an urlconf for /media/protected which does basically what's here, only modified for my authentication system. It handles urls such as /media/protected/GROUP_ID/file so that only members of the GROUP can download the files.

Answer 1

The usual way to do this is to pass back a special header to the web server.

You can do it with nginx using x-accel-redirect as in this Django snippet.

For Apache, it should be pretty similar using the mod_xsendfile module (discussion and examples on Django users mailing list).