Here’s the problem for a site I’m planning for a client:
Users login and buy access to materials. Each material is a folder containing HTML and other assets like CSS and images. I’ve done single file authentication before and it’s really easy. Just read the file from its private location and output using PHP. Simple. Of course, a folder is more complex. Most of the solutions I’ve found use HTTP authentication. I don’t want this as it’s too confusing for the user when the browser dialog pops up. Once they’ve logged in I (and the client) want it to be seamless.
Given that all the materials will be in a folder outside of the document root, what I’m thinking is when a user is logs in:
- Create a publicly accessible folder with a GUID for their session
- Create a cookie with another GUID in it (basically a pseudo session ID)
- Create a .htaccess file denying access if the above cookie is not set
- Create a JSON file with created and accessed properties
Every time they access a material (assuming they have paid for it):
- Copy the entire folder into their GUID folder if not there already
- Update the accessed JSON property
Then run a CRON job that deletes folders that haven’t been accessed for x minutes or were created y minutes ago. x could 60 minutes and y could be 360 minutes.
This might not be an efficient use of disk space but I think given that the site won’t be high traffic this will be fine.
Given the requirements do you think this is a decent solution — or too long-winded? Is there a simpler solution I’m missing?
Thanks.