Secure files with .htaccess

I have a set of files in a secure directory (currently secured by .htaccess, only 'the site' can access these files).

The files should only be available to members of the site; when开发者_StackOverflow中文版 they are logged in. I did have links in the members' area which went to a secure download script - however, using the readfile() function caused problems with the files across Browser/OS ie. losing line endings, corrupt PDFs.

So, I thought a better way might be to only allow people who have clicked the link (within the site) to access the files - hence they have to be logged in as a member. Going ditectly to the resource with it's URL would forward to a 403 forbidden page.

My .htaccess skills aren't the best, but I thought the concept would be similar to stopping hotlinking of images?

Any help - and knowing whether this is possible - would be greatly appreciated.

Best Regards,

Rich

What kind of login/authentication are you using? If you're using the regular HTTP auth stuff, you can just place those directives into the .htaccess along with

Require valid-user

which would allow access only to those who've succesfully logged in. If it's session based, you'll have to fix up the intermediary PHP script, as Apache knows nothing of PHP sessions. At most it can check for the presence/content of a cookie, but then you'd be trusting the clien to not mess with the cookie's conents.