How to make Apache restrict access to file except to internal redirects

Question

I am currently developing an Apache module and after parsing POST data from a request to another page, I make an internal redirect to a PHP page that makes some final operations and echoes out an HTML meta refresh tag. This in turn makes the browser refresh, requesting the first page.

The problem is, I don't want explicit outside requests to be able to access that page, but let the module do the internal redirect successfully.

Is there a way I can do this? I have tried using:

<Directory /var/www/cc_jnlp/php/>
    <Files session_init.php>
        Order allow,deny
        Deny from all
    </Files>
</Directory>

...but that just blocks all requests, regardless of whether it was or not an internal redirect.

Answer 1

A good approach would be to send something with the request that would identify it as a legitimate one. My first approach was to generate a big random number at the start of the server activity, and transmit it along with the data. The module would identify all requests to that page, and deny those that didn't include that specific query argument. Problem was, this was susceptible to bruteforcing, and the only way to counter it was to increase key size.

My definitive solution will use the Apache Notes system to transmit the data instead, and assuming that only the Apache server itself can manipulate that data, we can safely deny all requests that don't include it.

Answer 2

Try with the following configuration:

<Directory /var/www/cc_jnlp/php/>
    <Files session_init.php>
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1
    </Files>
</Directory>