password implementation

jpiskor

I hope this question isn't too web-centric for a php site, but it addresses what I'd like to accomplish via php.
I want to restrict access to a document tree on our webserver to individuals with authorized (i.e. password-controlled) access.

I can't use the .htaccess method because it interferes with an image-looping javascript that we employ. I have successfully set up a password file that gets read each time a user logs on via an html form; the reading takes place at the beginning of the php script that is called by the form. One big problem here is that any user can simply jump into the middle of the "private" tree and access files that should be restricted. (Granted, the exact path and filename are required, but still...)

I am delivering up all files and images via the called php script that generates the views on the fly. Would it be reasonable to "protect" the restricted directory tree with index.php files salted throughout that would trap attempts at direct access?

Any ideas or criticisms are welcomed. Thanks a bunch...

pnoeric

joe - you lost me a bit but how do you keep track of the user being logged in/validated? if you have a cookie planted on their machine that tells you they're validated, then you can just look for that cookie before serving any image. (didn't you say all images are served via php?)

if the images are available directly, try mod_cookie add-on for apache; plan the cookie with php and apache will look for it before allowing access to the image files.

hope this helps

best
eric