If a site has php session's in place to enforce authentication/authorization to pages on the site which are implemented in php, how does the same logic enforce access to certain files.

Lets say a repository of files in a directory. So /var/www/html/ is protected via authentication however, this PHP authentication logic won't prohibit a user from simply going to http://site.com/someDirectory/fileIShouldNotAccess.txt and pulling that file.

How do you couple the php session and authentication with apache to enforce this type of behavior?

Since PHP won't be invoked when the user requests a non-PHP file, you can't have Apache enforce PHP's access protection. You can make a very coarse and easy-to-fake check in Apache to make sure that a session ID cookie is present, but that's highly insecure. It just checks if the cookie's there, not that it represents a valid session or that the user's actually been granted access.

This other answer might help. Using PHP/Apache to restrict access to static files (html, css, img, etc). Basically, you serve up all the protected content via a PHP script, instead of providing direct access.

A couple answers:

1) make your php sessions use HTTP authentication. Then you can use a .htaccess file to control file access in directories

2) Use mod_rewrite to redirect all requests to a "front controller". Let the front controller manage whether access is allowed, denied, or forwarded to a different controller module for further processing.

You can try HTTP Authentication with PHP. This article might help.