2

I want to limit access to files in Apache. A list of restricted files should be variable. If a file access is restricted and a specific cookie is not found, the user should be redirected to a website (with possibility to aquire the cookie) - if it was found, the file will be "loaded".

I would like to solve this problem with mod_rewrite.

My thought is that I redirect all requests to a handler.php script.

This "handler.php" looks for the request and decides if the access is allowed. No problem until here.

The problem is now, that - if the access is allowed - the file has to be loaded. Therefore, I do not know the mime, filesize etc.

Of couse, I could write something like

if ($ext == '.jpg') header('Content-Type: ...');

But I do not want to use this solution, since I want to process ALL POSSIBLE files (png, gif, exe, mp3, zip, ETC). The problem is that I cannot know all mime types.

It would be great if I could call Apache (in a subrequest) to load the file (this time without the handler.php).

In my case I do not want to protect resources the strict way like mod_auth, since I only want to add a disclaimer to mature content (drawn artwork which contains blood and is not good for children). If a cookie was not found, I would like to show the disclaimer, and if the cookie is there, I can show the picture.

Daniel Marschall
  • 3,739
  • 2
  • 28
  • 67

1 Answers1

1

Considering that you want to block access to all resources under a given path, it seems to me that maybe Apache authorization is the better bet for you. It's a much cleaner solution than manually checking the session on every resource request, and you won't run into the content type handling issues that you're describing.

REVISED:

In that case, I suggest you look into working with cookies and .htacces.

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_COOKIE} !CookieName= [NC]
RewriteRule .* http://www.example.com/members/login.php [L]
BBonifield
  • 4,983
  • 19
  • 36
  • Thanks for the hint. You mean the simple ".htpasswd" technique? Of course, that is very secure. But in my case I do not want to protect resources the strict way, since I only want to add a disclaimer to mature content (drawn artwork which contains blood and is not good for children). If a cookie was not found, I would like to show the disclaimer, and if the cookie is there, I can show the picture. – Daniel Marschall Nov 19 '10 at 17:38
  • @Daniel Check the revised post – BBonifield Nov 19 '10 at 19:28
  • Hello BBonifield. Thanks for that solution. I tried it out with a .htaccess and an example.php script that shows the disclaimer, set the cookie and reloads the page. This time the real file is loaded. – Daniel Marschall Nov 19 '10 at 21:27
  • Additional question: Is it correct, that all files/dirs who should be protected, needs to get "hardcoded" in the .htaccess or is there an alternative/more complex idea that would allow a PHP handler script to decide (e.g. look into an configured array) if the file has to be protected or not? (And the HTACCESS therefore redirects ALL files to the handler the FIRST time). Ideas? Or rather impossible practise? – Daniel Marschall Nov 19 '10 at 21:29