Protecting HTML files with .htaccess

Question

My PHP app uses 404 Documents to generate HTML files so that multiple queries to the same HTML file only cause the generation to run once.

I'd like to intercept requests to the HTML files so that the user needs to have an established PHP Session in order to pull up the files.

In the best case, SESSION ID would be used in the URL and force it could be used as a further authentication. For example, logging in would issue you a SessionID and make only certain HTML files accessible to you.

I'm aware that by changing my cookies I could spoof a request, but that's fine.

How would I go about doing this?

Answer 1

Something like this could work (I haven't tested it):

RewriteCond %{HTTP_COOKIE} PHPSESSID=([a-zA-Z0-9]+)
RewriteCond %{REQUEST_FILENAME} %{REQUEST_FILENAME}-%1.html
RewriteRule ^ %{REQUEST_FILENAME}-%1.html

It assumes that you append "-$session_id.html" to filenames ($session_id is PHP's session ID).

It should be safe, and the benefit is that files are served by the web server directly without invoking PHP at all.

Answer 2

SetEnvIf HTTP_COOKIE "PHPSESSID" let_me_in
<Directory /www/static/htmls>
  Order Deny,Allow
  Deny from all
  Allow from env=let_me_in
</Directory>  

Of course user can manually create such cookie in his browser (there are extensions which do that for Firefox, and you can always edit your browser's cookie store).

Answer 3

You could use the Apache module mod_rewrite to redirect requests of .html URLs to a PHP script:

RewriteEngine on
RewriteRule \.html$ script.php [L]

The requested URI path and query is then available in the $_SERVER['REQUEST_URI'] variable.

Answer 4

Put you cached files out of your web root, but still in a place where PHP can access them.