Hello all. I've run several searches on this topic on the boards, and found some very enlightening information on the topic at hand, but none of them quite makes sense to my brain yet. I think I may be looking at this the wrong way. So, enough prattle, on to the question.

I've got a folder (let's call it "protected", shall we?) and in this folder I have an .htaccess file. The .htaccess contains one user-password combination (user:encrpytPass). I have something like 1500 people that need to access the contents of "protected", all stored in a MySQL database. Now, I understand the basics here - the html login form runs to a script that checks the db for exactly one record on a SELECT query matching both user name and md5'd password. If it comes back with one match, it sets the PHP_AUTH_USER and PHP_AUTH_PASSWORD variables to the values in the .htaccess file.

Here's where my trouble comes in... If I try to direct the newly authorized user to any page within "protected", it pops up the log in window. Even if I simply try to call a file from within the directory via include or readfile or fopen. I've tried the realm authentication thing (sorry, can't remember it off the top of my head right now, but I took it straight out of a tutorial...) and still got no love. Obviously, this is not at all what I want.

So, my basic question is this - what am I missing? Am I not treating the AUTH variables enough in the vein of sessions? Do I have to call them every page? Do I have to set them after each call? I think I've tried checking the vars on the pages inside the protected folder, much like you would in session-protected pages, but it didn't work. Are the AUTH variables session-based? As in, do I need to start a session on every page as well? I kinda had the impression that they are globals...

Anyway, hope my rambling made some sense, and any help, tutorials, links, or advice will be greatly appreciated.

Thank you!