An easier way to do it might be to use HTTP authentication with apache 
using .htaccess and .htpasswd files, which can be placed in the secure 
directories. (Or use one global .htpasswd file and have all .htaccess files 
point to it.)

Another possibility would be to set up two PHP scripts, one being some 
kind of form to enter a username, password, etc., and another to check the 
input and act as a pass-thru for the file to be downloaded. The second 
script could look something like this (obviously simplified):

if ($authenticated)
    header("Content-type: whatever/text");
    print "You can't download this."

Which you would call as something like:

Obviously, you need to take care of a few security problems, like making 
sure they don't do something like

And you'd have to make sure the file exists and such before sending it out. 
And determine the MIME type of the file. (I usually do this by extension.) 
But overall, it would work. I have a similar script, minus the 
authentication feature. 


John Coggeshall wrote:

> Hey all..
> I've got a question -- I'd like to restrict access to entire directories
> based on if the user has been authenticated or not. Basically, I'd like
> to set up a auto-include *FROM APACHE* to run a PHP script prior to
> sending any documents what-so-ever and only send the requested document
> if the PHP script allows it. So..
> Request Made -> PHP Script Runs -> PHP Checks Authentication -> PHP says
> OK -> Apache sends file normally
> Or..
> Request Made -> PHP Script Runs -> PHP Checks Authentication -> PHP says
> NO -> Apache stops dead in it's tracks or displays a HTTP error
> Is this possible? It has to work for any document or MIME type and be
> restrictable by directory... (i.e. I just want this happening in a
> /secure/ directory)
> John

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to