restricting access to static content/authenticating via htaccess with PHP?

Question

I'm developing a LMS solution with php/apache which takes SCORM files and outputs the courses for users to undertake in the format http://www.example.com/courses/course1/index.html

The LMS itself will be accessible by anyone and as the course content is static html I dont seem to have many options in regards to authentication.

I originally thought that creating some htaccess/htpasswd files in the folder would be ok, but I can't see a way of authenticating the user in php so they're not shown a password prompt each time they want to view the course - they would of already authenticated in my app previously.

Does anyone know of the best method to secure static content so that authorised (by my php app) users can view the content fine, but everyone else sees nothing?

Answer 1

If PHP handles the login itself, the easiest option is to serve the content through PHP itself.

You can put the static files in a directory not mapped to the URL space or in a mapped URL that is behind a directory denying all requests and then use readfile:

//request to /download_static.php?file=xxxx.rtf
if (!has_access())
    die("unauthorized");

if ($f = filter_input(INPUT_GET, 'file', FILTER_SANITIZE_STRING,
        FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH)) {
    if (strpos($f, "/") || strpos($f, "..") || !file_exists("statics/$f"))
        die("no such file");
} else {
    die("invalid request");
}
header("Content-type: application/rtf"); //or whatever
//can also sent e-tag, last modified, size...

readfile("statics/$f");

Another option, only available is PHP is installed as an Apache module, is to do the authentication and then call virtual.