from the manual (http://www.php.net/manual/en/reserved.variables.php#reserved.variables.server)

$_SERVER['PHP_AUTH_USER']
When running under Apache as module doing HTTP authentication this variable is set to the username provided by the user.

$_SERVER['PHP_AUTH_PW']
When running under Apache as module doing HTTP authentication this variable is set to the password provided by the user.

So I take it that means it can't be done the way I want to..? IE: the variables have to be provided by the user?

i think i misread your question. i thought you were going through the htaccess protection first then passing those variables on to you own login form. if so, then you could use the two variables i mentioned to pass on to you own form (provided you are running PHP as an Apache module). but re-reading your question again, i now see you wich to do the reverse. i don't think you can pass POST/GET vars on to HTTP authorization (the IE trick you mentioned will not work with newer versions if IE). if you are implementing you own login system in PHP, then i suggest you do away with the htaccess protection. IMHO, that is an agreeable tradeoff between security and usability.

Thanks for your reply.

The problem is this: The client wants to be able to login from a form which exists on a webpage, which will then take them to an index page listing all the files in a dir. The files need to be secure, but they will be things such as jpgs, gifs and pdfs. So I can't implement my own auth routines on them.

They don't want to have the htaccess login prompt show up, which is the root of my problem.

I think I'm stuck using htaccess to protect the dir.. unless there's some other way to accomplish it?

why not simply place all of the jpgs, gifs and pdfs outside of the public tree (above htdocs). then use you own auth routine that once logged in shows you an index of the non-public directory. PHP has many built-in fuctions for displaying directory lists.

Yes.. that is a good idea. Didn't even think to do something like that.

Thanks mate.. I'll give that solution a try.

Sorry.. another question for ya..

How would I allow the user to download the files? I can't point to them using an href since they're outside the public tree.

good question. a bit clumsy but perhaps you could make a temporary copy of the file just for linking. your link could look like this:

<a href="get_file.php?file=image.gif?">link to file</a>

then in "get_file.php":

<?
copy('/non/public/dir/' . $_GET['file'],'/public/htdocs/temp/' . $_GET['file']);
header('location: ' . $_GET['file']);
unlink('/public/htdocs/temp/' . $_GET['file']);
exit();
?>

this would be rather impractical for very large files. honestly, this seems like a very large hoop to jump through just to avoid using normal htaccess authorization and directory listing.

Makes sense.. except the unlink is deleting the file before it can display it. =(

Instead of copying the file to a temp location, why not just pipe its content to the screen?

Use a header to set the proper mime-type for the file (probably just octet-stream) and then use fread or file_get_contents (go with looped fread if you're dealing with large files).

Thanks. I tried it that way and it worked.

$file = /xxx/xxx/xxx/'. $SESSION['strDir'] .'/'. $GET['file'];
header("Content-Description: File Transfer");
header("Content-Type: application/force-download");
header("Content-Disposition: attachment; filename=".basename($file));
@readfile($file);