I've got a Light setup and Among the finest to have the ability to safeguard content around the web page (images,css,videos,etc) to ensure that only drenched in customers can can get on.

I recognize I'm able to do that easily with .htaccess. However don't want to make use of the authentication popup, and I wish to have the ability to use periods as well as have the ability to logout.

I'm using php to complete the job of authenticating with mysql and make periods. This is effective. But images, css, javascript etc continue to be accessible.

How do you allow accessibility content only when a legitimate php session is available?

I know of using mod_rewrite to forward files to some php file (like auth.php?file=...) and do session checking there. This appears inefficient to determine the session for every image inside a page that was already checked. It appears just like a hack and that i keep thinking there's a cleaner method of carrying this out.

It is possible to mod for apache like mod_session_cookie that may see if a cookie having a session key is available during my session database and when so sets Allow all for that directory?

Alternatively, can you really use mod_auth_mysql but additionally have the ability to use periods and login utilizing a php form and never the authentication popup?


Here's my means to fix the issue:

During my apache configuration file (not .htaccess) I added:

RewriteLock /var/www/lib/rewrite.lock

    RewriteEngine on
    RewriteMap sessionValid prg:/var/www/lib/allow.php

    <Directory /var/www/client/*>
            RewriteEngine on

            RewriteCond %{HTTP_COOKIE} !client-cookie=([^;]+)
            RewriteRule .* - [L,R=403]

            RewriteCond %{HTTP_COOKIE} client-cookie=([^;]+)
            RewriteCond ${sessionValid:%1} !valid
            RewriteRule .* - [L,R=403]

And also the script allow.php:


echo ""; 
$stdin = fopen("php://stdin","r");
$db = mysql_connect(...);  
mysql_select_db(..., $db);
$querypre = "SELECT ID FROM Sessions WHERE ID='";

while (1) {
  $line = trim(fgets($stdin));

  $query = $querypre.mysql_real_escape_string($line)."'";
  $result = mysql_query($query);

  if (mysql_num_rows($result) > 0)


This works like no bodies business. By using this and session_set_save_handler I could use php periods backed by mysql to secure both php pages and all sorts of content within. I really hope someone finds this helpful.

Some caveats:

  • The RewriteMap statement must be defined within the virtual host block if you are planning for doing things within that virtual host. Placing it outdoors from the block won't work.
  • You'll want set RewriteEngine on before determining the RewriteMap or it will likely be overlooked.
  • RewriteLock can't be within the virtual host block.
  • Just like any spend script, the php file should be executable through the apache user and without any ^M's
  • RewriteMap claims can't be put into .htaccess however the other claims which use the map can.
RewriteCond %{HTTP_COOKIE} !mysessioncookie=([^;]+)
RewriteRule .+\.(jpg|css|js) forbidden.html [R=403]

Rather than connecting right to the assets, use some type of controller for everyone the pictures.

For instance, connecting to 'images/bob.jpg' wouldn't really indicate an origin, but a script, which inspections login, and when effective, transmits image/jpeg headers using the correct data.

I really avoid using Apache I personally use lighttpd, with a plug-for the reason that will restrict use of a folder according to if your correct hash is passed within the URI. Essentially, the application logic and also the webserver share a secret salt that's then used to develop a hash using the current time, also is passed using the hash. When the time is in the past a few minutes, it grants or loans access. Otherwise, or maybe the hash is invalid, it does not. I am searching around to ascertain if there is a similar wordpress plugin for Apache right now.

Edit: mod_auth_token seems to complete exactly the same factor for Apache.