Posted by atpunkt@punktat.de on 08/28/07 22:09

Before we get too far off course here - I'd like to describe how I
handled jobs like this:

1- You need $_SESSION-Handling and some kind of Session-Based
Userlogin

2- You create an empty directory like /protected that has a .htaccess-
File with

Deny to All

and the abovementioned mod_rewrite line (slightly modified)

RewriteRule .* ../get_protected.php?file=$0 [L,QSA]

3- you put all the stuff to be protected in a 'data' directory OUTSIDE
the webserver path (you can leave it in /protected, but outside it's
even safer)

4- in get_protected.php you
- authenticate the user from his $_SESSION-data
- find the file by inspecting $_GET['file'] and checking if it
exists in your 'data' directories
- set the mimetype in the Header according to the filetype
- use readfile() to send the file to the user

*- expect webserver processing time to be higher than normal for
session handling and php in places where it usually isn't used (like
displaying images)

as said before: there's no way to do http-authentication (.htpasswd/
mod_auth_mysql) by setting the Authentication headers without
presenting the user with a browser-password-form. I had it working
once (by creating a meta-refresh to an URL that used the
http://user:password@www.myserver.com-Scheme) but that was rather
dirty, presented passwords in cleartext and was removed when IE6 no
longer accepted this password/URL scheme.

Hope this helps
Phil

[Back to original message]