I have made RewriteRule in .htaccess to return file only if user is logged in:
RewriteRule ^(.*)$ ../authorize.php?file=$1 [NC]
authorize.php looks like this:
<?php
session_start();
if (!isset($_SESSION["user_id"]) || $_SESSION["user_sessid"] != session_id() || $_REQUEST["token"] != $_TOKEN) {
header("HTTP/1.1 404 NOT FOUND");
} else {
$file = "public/" . $_REQUEST['file'];
$contentType = mime_content_type($file);
header("Content-type: $contentType");
header('Content-Disposition: inline;');
readfile($file);
}
Here are headers from one of the files responses:
HTTP/1.1 200 OK
Date: Thu, 14 Mar 2019 14:51:54 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/7.0.33
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: max-age=3153600000
Pragma: no-cache
Content-Disposition: inline;
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: image/jpeg
The problem is that all files are not being cached by a browser after these changes. Any ideas what could be wrong?
Expires: Thu, 19 Nov 1981 08:52:00 GMT is not a problem, if I change it to a later date, files remain uncached.
