[TYPO3-dev] TYPO3 session verification on Apache level
Bart Dubelaar
bart.dubelaar at logica.com
Fri Sep 21 11:34:05 CEST 2012
Hi All,
There are many solutions to secure static file downloads in TYPO3, DAM, FAL,
naw_securedl, etc. They all operate in the same way, call a PHP script
instead of the file directly.
Two annoyances created by this are:
1: Additional effort is needed to tell the browser what kind of file is
being sent and how to handle it. The PHP script has to construct the correct
HTTP headers, you will rely on the quality of the script for this. Caching
on the client side will mostly fail because cache headers are usually not
sent.
2: All references to the file will have to be converted to the script path
instead of the direct file path. It is hard to keep track of all the places
where this is required. In less frequently used areas of TYPO3 you will see
that images are broken when using any of the script based solutions.
An alternative to these script based solutions is too tackle the problem at
the source. Who is serving these files? Yep, probably Apache. So in all
perspectives it would be much more efficient if Apache would secure access
to the files.
Now Apache allows custom modules for authentication. A solution might be to
have a custom Apache authentication module that is able to check the
existance and validity of BE and FE sessions from cookies sent along in the
requests.
When Googling for such a solution I did not find any information on existing
solutions like this. But maybe it has been done before by someone or it has
been considered by someone. If so, please share your experiences.
Kind regards,
Bart
More information about the TYPO3-dev
mailing list