Hey all, I'm working on a project with a membership system that allows paid users direct access to content and unpaid users have to be forbidden. What sort of system do I need to setup to get this going? Here's a rundown: John is logged in and has purchased Item #A. He goes to http://www.thesite.com/items/ItemA.ext and gets his file. Bill is logged in and hasn't purchased Item #A. He goes to http://www.thesite.com/items/ItemA.ext and gets an error message saying he hasn't purchased this file. The idea I've come up with is having an .htaccess file use mod_rewrite to forward all /items/* requests to some authentication script. Is this generally how it's done? Thanks guys.

No ideas? =/

The most obvious implementation is to use HTTP authentication.

This could be done using Apache basic authentication - and have the PHP script modify the authentication / authorisation files accordingly.

Another possible way is to use PHP itself to serve the files, and have it do the authorisation and authentication itself.

You can do this by forming a URL which uses a PHP script as if it were a directory:

http://downloads.myfunkysite.fake/download.php/expensivereport.pdf

---

If you don't like the idea of having ".php" in that URL, then simply force it to be a PHP page even though it's a plain file (no . in its filename):

# .htaccess<Files downloads> ForceType application/x-httpd-php</Files>

Then the file "downloads" in this directory, will be treated as a PHP script (even though its filename doesn't end in .php)

So people can see the URL /downloads/expensivereport.php

---

You'd serve the file directly out of PHP by sending the appropriate content type, then sending the file contents. This is pretty easy to achieve. The original files would be kept in a directory either outside the web root, or not directly accessible by the web server (for example containing a .htaccess saying "Deny From All").

Mark