If a site has php session\'s in place to enforce authentication/authorization to pages on the site which are implemented in php, how does the same logic enforce access to ce
You can try HTTP Authentication with PHP. This article might help.
A couple answers:
1) make your php sessions use HTTP authentication. Then you can use a .htaccess file to control file access in directories
2) Use mod_rewrite to redirect all requests to a "front controller". Let the front controller manage whether access is allowed, denied, or forwarded to a different controller module for further processing.
Since PHP won't be invoked when the user requests a non-PHP file, you can't have Apache enforce PHP's access protection. You can make a very coarse and easy-to-fake check in Apache to make sure that a session ID cookie is present, but that's highly insecure. It just checks if the cookie's there, not that it represents a valid session or that the user's actually been granted access.
This other answer might help. Using PHP/Apache to restrict access to static files (html, css, img, etc). Basically, you serve up all the protected content via a PHP script, instead of providing direct access.