I have been protecting directories with .htaccess files for a while now. However, as you get a lot of users that need to authenticate to a directory you can start to have performance issues on the server. I then started to stream all content through PHP to the user, but if you have large files, and lots of hits to the server, you will also begin to experience performance issues. Not to mention you have issues with some web hosts not giving you control over the execution time limits of a PHP script, which will halt all php initiated streams.
I got to thinking. Instead of authenticating each user through a .htaccess file I could have a .htaccess file that would only allow one user to authenticate to the directory and all files inside from outside the server. This one user would be operated by the PHP script. The user visiting the site would have no idea of this authentication mechanism. Essentially if they wanted to download a file from directory x, the only way they would be able to do so would be through the php script. If they visited the directory directly without being passed through the PHP script, they would be denied access. This would allow normal PHP authentication and access mechanisms for protected directory and file access.
I have seen various sites employ a theory like this, at least that is how I perceive it. I, the visiting user, would not have to log in to access the sites download section. However if I navigate to the web directory without the aid of the sites PHP scripts, I get an access denied message. My problem is, I don't know quite how to make this happen. I am not sure how to give PHP the ability to authenticate the users browser session with a set of user credentials unknown to the visiting user so that they can have access to the protected directory or file. Does anyone know how to point me in the right direction to make this happen?
Thanks in advance.
