[TYPO3-dev] TYPO3 session verification on Apache level

[Bart Dubelaar]

Hi All,

There are many solutions to secure static file downloads in TYPO3, DAM, FAL, 
naw_securedl, etc. They all operate in the same way, call a PHP script 
instead of the file directly.

Two annoyances created by this are:
1: Additional effort is needed to tell the browser what kind of file is 
being sent and how to handle it. The PHP script has to construct the correct 
HTTP headers, you will rely on the quality of the script for this. Caching 
on the client side will mostly fail because cache headers are usually not 
sent.
2: All references to the file will have to be converted to the script path 
instead of the direct file path. It is hard to keep track of all the places 
where this is required. In less frequently used areas of TYPO3 you will see 
that images are broken when using any of the script based solutions.

An alternative to these script based solutions is too tackle the problem at 
the source. Who is serving these files? Yep, probably Apache. So in all 
perspectives it would be much more efficient if Apache would secure access 
to the files. 

Now Apache allows custom modules for authentication. A solution might be to 
have a custom Apache authentication module that is able to check the 
existance and validity of BE and FE sessions from cookies sent along in the 
requests.

When Googling for such a solution I did not find any information on existing 
solutions like this. But maybe it has been done before by someone or it has 
been considered by someone. If so, please share your experiences.

Kind regards,
Bart