[TYPO3-dev] TYPO3 session verification on Apache level

Benjamin Beck BenjaminBeck at gmx.de
Fri Sep 21 12:17:01 CEST 2012 

Hi Bart,

reading your mail i had this idea:

You could generate a unique access id (maybe the session id?) and write this to the .htpasswd which protects the downloads..
The you could use a http redirect to : http://gooduser:secretpassword@www.example.com..

Benjamin

On 21.09.2012, at 11:34, Bart Dubelaar <bart.dubelaar at logica.com> wrote:

> Hi All,
> 
> There are many solutions to secure static file downloads in TYPO3, DAM, FAL, 
> naw_securedl, etc. They all operate in the same way, call a PHP script 
> instead of the file directly.
> 
> Two annoyances created by this are:
> 1: Additional effort is needed to tell the browser what kind of file is 
> being sent and how to handle it. The PHP script has to construct the correct 
> HTTP headers, you will rely on the quality of the script for this. Caching 
> on the client side will mostly fail because cache headers are usually not 
> sent.
> 2: All references to the file will have to be converted to the script path 
> instead of the direct file path. It is hard to keep track of all the places 
> where this is required. In less frequently used areas of TYPO3 you will see 
> that images are broken when using any of the script based solutions.
> 
> An alternative to these script based solutions is too tackle the problem at 
> the source. Who is serving these files? Yep, probably Apache. So in all 
> perspectives it would be much more efficient if Apache would secure access 
> to the files. 
> 
> Now Apache allows custom modules for authentication. A solution might be to 
> have a custom Apache authentication module that is able to check the 
> existance and validity of BE and FE sessions from cookies sent along in the 
> requests.
> 
> When Googling for such a solution I did not find any information on existing 
> solutions like this. But maybe it has been done before by someone or it has 
> been considered by someone. If so, please share your experiences.
> 
> Kind regards,
> Bart
> 
> _______________________________________________
> TYPO3-dev mailing list
> TYPO3-dev at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-dev

More information about the TYPO3-dev mailing list