[TYPO3-dev] TYPO3 session verification on Apache level

[Bart Dubelaar]

The idea of writing to a .htpasswd file brought me to another possibility:

The Apache Rewrite Module has an option to look up values in a file using 
the RewriteMap directive and map them to a value given in the file.
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewritemap

If TYPO3 would write all authenticated sessions to a file (with a mapping 
value of "authenticated" for instance), then the fe_typo_user or 
be_typo_user cookie value can be looked up in with the RewriteMap directive 
and the result ("authenticated" or blank) can then be written to an 
environment variable. Then a simple Allow from rule that checks the env 
variable will block all non-authenticated users. So no rewriting of urls to 
append user:pass is needed.
A nice thing about the RewriteMaps is that the mapped values are cached by 
Apache and reloaded when the file changes, so it should be pretty fast. Of 
course TYPO3 needs to update the file on every login and logout/timeout.

Another idea I had earlier is also to use RewriteMaps, but to use the option 
to map the values (in this case the cookies) with an external rewriting 
program. This program could then check the status of the session on demand, 
so no hooking on login and logout is necessary. However this might be rather 
intensive to do on each request, so you would want to cache results and then 
again you'd need to hook on the logins and logouts again..

Thanks for the nice ideas so far!

Kind regards,
Bart


Stefan Neufeind wrote:

> Hmm, maybe writing an htaccess-file which matches on a certain cookie?
> But you'd have to remove that when the person logs out or permissions of
> the page changes etc.
> 
> Extensions like naw_secure_dl secure links on a per-file-level based on
> the page-rights from which those files are linked. So it doesn't only
> protect a download-folder as a whole but also individual files and
> permissions can "instantly" be removed (person logged out, permissions
> on page changed).
> 
> 
> Kind regards,
>  Stefan
> 
> On 09/21/2012 12:17 PM, Benjamin Beck wrote:
>> Hi Bart,
>> 
>> reading your mail i had this idea:
>> 
>> You could generate a unique access id (maybe the session id?) and write
>> this to the .htpasswd which protects the downloads.. The you could use a
>> http redirect to : http://gooduser:secretpassword@www.example.com..
>> 
>> Benjamin
>> 
>> On 21.09.2012, at 11:34, Bart Dubelaar <bart.dubelaar at logica.com> wrote:
>> 
>>> Hi All,
>>>
>>> There are many solutions to secure static file downloads in TYPO3, DAM,
>>> FAL, naw_securedl, etc. They all operate in the same way, call a PHP
>>> script instead of the file directly.
> 
> [...]