session_start confuses IE wrt mimetypes

Anon

I send a wav file to the browser by setting Content-type: audio/x-wav and readfileing the wav file out. Works fine, unless I put in a session_start in my code, then IE and IE derivitives blow up. I need the session info so I can tell if the user should be allowed to view the wav file (it's voicemail).

Surely this is a problem often encountered. Anyone have ideas for how to get this to work or work around it in a way that doesn't mean throwing away security?

I found a similar thread: (http://www.phpbuilder.com/forum/read.php3?num=2&id=139498&loc=0&thread=139498) but no one had an answer there.

Code that explains the problem:

<?php

If you uncomment this, it won't work in IE.

session_start();

Send a wav file.

header("Content-Type: audio/x-wav");
readfile("whatever.wav");

Anon

<?php

session_start();

$user_verified = 0;
// do stuff to set $user_verified

if($user_verified) {
$filehandle = fopen("whatever.wav", "rb");
header("Content-type: audio/x-wav");
fpassthru($filehandle);
exit();
} else {
echo "<p align='center'><b>you are evil</b></p>";
}

Anon

This also doesn't work, but if you remove session_start() it does. Try it out. It's just like my original problem.

It works on some browsers, but not 90% of recent versions of Internet Explorer browsers, and also fails on Pocket PCs.

There must be a way to do this that won't confuse most browsers. Without it, I can't think of any way I can authenticate who gets to listen to a wav file.