dynamic htaccess?

[dank]

Suppose you have a PHP/MySQL user/session managing script which directs authorized users to a subdirectory for downloads.  Is there any way to password protect the subdirectory that contains the actual download files without making it inacessible by the download script?

If the htaccess file could somehow recognize valid sessions or users in the database, that could possibly be passed through as part of the download URL...  I can't think of any way to do that, though.  Could the htaccess file be set to only allow access to that subdirectory if routed through the download script (which contains user authentication)?  Do <Location> or <LocationMatch> work on the sending URL or the receiving URL?

The next best thing I can think of is to bury the download subdirectory deep in the directory structure with non-pronunceable directory names and place a blank index file in it.  That should eliminate 99.99% of people stumbling across it, but why not strive for 100%?  

Dan

[PaulKroll]

Well, you could try to send them to a PHP script that A) sends the right content-headers (for whatever type of file they're supposed to be downloading) and then sends the file with fopen and fpassthru. That way, you actually are able to verify on a session-basis that yes, this user can have the file, or no, they get an error or a redirect (probably a redirect would be better...)

I've done similar stuff w/gifs, pretty sure it'll work with virtually (HA!) any kind of MIME type.

[dank]

Took some playing around with to get the correct content headers specified, but I think I got it pretty much working (although, I imagine I'll be horrified as soon as I test it in something other than IE).  fpassthru and gzpassthru are somewhat picky about those dang content headers, so it took some restructuring of what order everything is processed.

Still doesn't solve the problem of the actual download subdirectory being unprotected, but at least the path is never made readily visible, as far as I can tell.  Using fopen and a JavaScript redirect before (since I hadn't yet restructured things to make the Location header usable) would fire up the Netscape SmartDownload which plastered the entire URL as plain as could be in the download window and refreshes the page after completing the download, resulting in the download being counted twice, sans checking for such redundancy...  SmartDownload my a**...  

Dan

[PaulKroll]

Quote:

Still doesn't solve the problem of the actual download subdirectory being unprotected

If the PHP script is sending the content headers and passing thru the file, the file can be anywhere: including out of the www/ path. You can make a /big/dom/xdomain/downloads directory that can't be accessed except for the PHP script, that &quot;knows&quot; where the files are.

[dank]

Now you're thinking!    That works quite nicely, thanks.

Dan