rtoscano

Wow, I like the solution you described monk.e.boy. I could have a php page, serveImage.php, that takes in some url arguments like the path to the image, and then write the appropriate images headers to send the image back. I wonder what kind of effects this will have on the browser experience and other parts of my website. I'll try to implement this and post if there were any drawbacks or anything I can't think of now. Thanks again for the solution. Thanks mbtaylor for your suggestion, but that is not what I want to do as I said in my first post on this thread. That tutorial shows you how to ask the user for HTTP authentication credentials with PHP. I do not want to prompt the user for these credentials. But according to monk.e.boy, I won't even need to use HTTP authentication. And I believe the solution you provided, ShogunWarrior, is similar to monk.e.boy's. Could this also be a solution for the hot-linking problem?

Thanks for the tip, I never thought to search for the hot-linking problem. However, this doesn't seem like a very secure way to protect my image files from people who don't have an account with my website. Couldn't I synthesize an HTTP request that has the appropriate referrer in order to gain access to the images? Couldn't I obtain this appropriate referrer from observing an existing HTTP request? What about browsers that don't support including a referrer in their image request? Will I have to synthesize an appropriate HTTP request for every image request that they make? Isn't there a way to place a cookie on the client's machine that will let apache know that this user is already valid? My site is protected with SSL which means that any password exchange is encrypted. And I suppose so to would be the HTTP referrer. So I guess the hot-linking solution would work, it just doesn't seem like a very clean way of going about things. I'd have to make entries for different file types and for different directories (if the protected areas are scattered). Any other solutions? Thanks again.

I guess I should have been clearer in my first post. The reason why I cannot protect the protected area with my PHP authentication mechanism is that they are not PHP files. The only way I could think of protecting image files like .jpg, .gif, and other non .php files was to use HTTP authentication. I don't want these files available to people who haven't logged in to the PHP mechanism, but I do want them available to people who are logged in. However, I don't want to prompt them for a separate user name and password just so they can access the protected content after they've already logged in. I hope I made my task clearer and I really appreciate the quick response.

Hi, I've been searching the internet for a few hours and have hit all too many tutorials/articles about how to request HTTP credentials from a user using PHP. This is not what I want to do. I am running Apache 2 with PHP 5. I have a protected area in my website that I want to protect with HTTP basic authentication. However, I have a PHP login/logout mechanism where usernames and passwords are grabbed from a database and has nothing to do with the HTTP authentication. What I would like to do is when the user successfully logs in with my PHP script, they will also be HTTP authenticated with Apache. In other words, if the user tries to access the protected content, they won't be prompted with the browser credential input box. Instead, they will never see this prompt because my PHP script took care of it. Do I have to write the Authentication headers myself? Can I store a cookie on the client so that Apache will think they're authenticated? Is there an easier way to do this? Thanks in advance.