I have attempted to make my website secure by having users log in to the site through a php based form before entering. That form access a mysql database that has their information stored in it. To make each viewable page secure, each page calls an authentication function that checks for certain Session objects that were created on login. If the Session object is not found on each page the person is kicked out of the site. I thought this was a decent approach because the pages were not viewable unless the session objects were in place.
My problem is that data that is not a php page is not secure because not authentication function is being called. This includes pdfs, zip files, and stardard html pages. Does anyone have any ideas how i can secure this downloadable content?
I have implemented .htaccess directory password authentication in apache before. I don't believe this would work for two reasons. One, I am pulling user info from a database not a text file. Two and (most importantly), I don't want the users to be prompted for a second login. Is there a way to create a session object and use the header() function that would automatically authenticate through the .htaccess file?
