Situation
I am creating a video processing site for a client in the RackSpace cloud using the traditional LAMP stack (the RackSpace cloud has a Windows and LAMP stack). The videos and other multimedia files that I serve on this site should be protected, as my client charges money for access to them. We donβt have DRM or funny business, in fact, we store files outside the root of the website and use PHP to authenticate the user before they can access the files using mod_rewrite to run the request through PHP.
So, let's say a user requests a file at this URL:
http://www.example.com/uploads/preview_image/29.jpg
I use mod_rewrite to rewrite this url for:
http://www.example.com/files.php?path=%2Fuploads%2Fpreview_image%2F29.jpg
Here is a simplified version of the files.php script:
<?php // Setups the environment and sets $logged_in // This part requires $_SESSION require_once('../../includes/user_config.php'); if (!$logged_in) { // Redirect non-authenticated users header('Location: login.php'); } // This user is authenticated, continue $content_type = "image/jpeg"; // getAbsolutePathForRequestedResource() takes // a Query Parameter called path and uses DB // lookups and some string manipulation to get // an absolute path. This part doesn't have // any bearing on the problem at hand $file_path = getAbsolutePathForRequestedResource($_GET['path']); // At this point $file_path looks something like // this: "/path/to/a/place/outside/the/webroot" if (file_exists($file_path) && !is_dir($file_path)) { header("Content-Type: $content_type"); header('Content-Length: ' . filesize($file_path)); echo file_get_contents($file_path); } else { header('HTTP/1.0 404 Not Found'); header('Status: 404 Not Found'); echo '404 Not Found'; } exit(); ?>
Problem
Let me start by saying that this works great for me. On local test machines, this works like a charm. However, after it is deployed in the cloud, it stops working. After some debugging, it turns out that if the cloud request has certain file extensions, such as .JPG, .PNG or .SWF (i.e. extensions of usually static media files.), The request is sent to a caching system called Varnish. The end result of this routing is that by the time this whole process has turned into my PHP script, there is no session.
If I change the extension in the URL to .PHP, or even if I add a request parameter, then Varnish bypasses, and the PHP script can get the session. No problems? I will just add a meaningless query parameter to my queries!
Here is rub:. The multimedia files that I serve through this system are requested through compiled SWF files with which I have zero control. They are created by third-party software, and I do not hope to add or change the URLs that they request.
Are there any other options that I have?
Update:. I should note that I tested this behavior with RackSpace support, and they said that they can do nothing about it.