What I want is a login wrapper around the entire webroot on a server running Apache 2.4 and PHP 8.2. This wrapper is only to be triggered when the client IP address is an outdoor address (i.e. other than indoor IPs like 10.0.0.0/8 or 192.168.0.0/16).
So far so good, that can I handle in Apache in .htaccess.
But when this is the case, all pages, regardless any, of the webserver should redirect to the login page when not logged in.
RewriteEngine on
# No indoor addresses
RewriteCond %{REMOTE_ADDR} !(^::1|127.0|192.168.0.0|10.0)
# All webpages on this server
RewriteCond %{REQUEST_URI} ^.*$ [NC]
# Cookie with name $(THECOOKIENAME) should not be set (this is the line I ask about)
RewriteCond expr "%{HTTP_COOKIE} -strcmatch '!*%{ENV:THECOOKIENAME}'"
# When all conditions met, go to login page
RewriteRule $ /loginpage.php [L]
So Apache checks whether a cookie is set with the name set in an envrironment variable $(THECOOKIENAME), which is to be set in a PHP script with a unique hexstring per session. I cannot use constants obviously because then setting the fixed cookie name simply allows login without credentials.
PHP code in loginpage.php::
if ($cookiename = auth_login()) { // check for login and generate unique key
apache_setenv($cookiename, 1);
header("Location: " .$_SERVER["REQUEST_URI"]); exit;
} else {
apache_setenv($cookiename, "");
echo showloginprompt();
}
Now the problem is that the env variable set by apache_setenv() is not recognized in Apache. I tried with a fixed $cookiename but even then it does not recognize the environmental variable.
I tried putenv($hexstring, 1) or even $_ENV['THECOOKIENAME'] = $hexstring; but to no avail as well.
It appears these functions only works in a single request. AFAIK, the $_SESSION would be nice, but it is not available under Apache (httpd.conf or .htaccess).
Does somebody know how to pass variables cross request between PHP and Apache ?