Use PHP/Apache to restrict access to images

Question

Use PHP/Apache to restrict access to images

First, I know this is NOT a new topic, or even a duplicate that was discussed, but I want to propose a new aproach, that I don't know how to implement:

My idea is the following:

• APACHE should deliver the file not PHP. This is highly critical
• PHP should just do the authentication and re-send/forward the request with some trick/variable set)
  • the same-request is being re-sent and this second time the Rewrite Conditions should fail(due to the trick) and the file should be directly delivered.

Steps:

1. request is coming in(URL = http://somedomain.com/files/image1.png), apache forwards it to access.php
2. access.php checks that the user has access to the file
3. IF check is successful, then PHP sets an environment variable AUTHORIZED = true and makes an internal re-direct to the original URL.
4. Same request is coming in (SECOND time - this time with AUTHORIZED set) -> RewriteCond will NOT match(RewriteCond %{ENV:AUTHORIZED} !^$), and the file will be delivered.

I am not sure how to make a proper link between step 3 and 4. Not sure how that would be possible.

I am not sure what kind of mechanisms are available from PHP to set an apache environment variable, or something similar.

Any input would be appreciated.

Code samples:

.htaccess

RewriteEngine on  
RewriteCond %{ENV:AUTHORIZED} !^$
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ access.php [L]

access.php

if ( 1 == 1 /* check if user is authorized*/ ) {
    // set an environment variable for apache!!!
    apache_setenv( 'AUTHORIZED', "true" ); //not working!

    //forward the request
    header( "Location:" . $_SERVER[ 'REQUEST_URI' ] );
    exit;
} else  {
    header("HTTP/1.1 401 Unauthorized");
    exit;
}

Some references:

https://serverfault.com/questions/374955/protecting-images-from-direct-access-by-checking-current-php-session-with-mod-re

Using PHP/Apache to restrict access to static files (html, css, img, etc)

Answer 1

I am not sure how to make a proper link between step 3 and 4. Not sure how that would be possible.

It isn't, at least not in practical terms. HTTP is stateless.

I'm not too familiar with the Apache life cycle, but any environment variable would last either:

• Only for the request, in which case it wouldn't exist when the client made another request in response to the redirect
• Globally, in which case every request (from every client) would be given access

In theory you could authorise an IP address (but IP addresses are shared so you'd be giving access to anybody who shared the IP … such as everyone in the same building as the client in many cases). So, that wouldn't be secure.

You could set a cookie and then have another mechanism check for that cookie … but then you'd either need to repeat the authentication or have a shared cookie that anyone could copy. So, that wouldn't be secure.

If you were working in C or Perl (mod_perl) then you could write an Apache module to hook in to the authentication/authorization part of the request cycle. But you're working in PHP and, as far as I know, nobody has ever written anything to let PHP play with Apache's internals (well, unless you count PHP.pm, but I've no idea how neatly you could tie that in with mod_perl).