Authenticate entire folders

Here’s the problem for a site I’m planning for a client:

Users login and buy access to materials. Each material is a folder containing HTML and other assets like CSS and images. I’ve done single file authentication before and it’s really easy. Just read the file from its private location and output using PHP. Simple. Of course, a folder is more complex. Most of the solutions I’ve found use HTTP authentication. I don’t want this as it’s too confusing for the user when the browser dialog pops up. Once they’ve logged in I (and the client) want it to be seamless.

Given that all the materials will be in a folder outside of the document root, what I’m thinking is when a user is logs in:

  1. Create a publicly accessible folder with a GUID for their session
  2. Create a cookie with another GUID in it (basically a pseudo session ID)
  3. Create a .htaccess file denying access if the above cookie is not set
  4. Create a JSON file with created and accessed properties

Every time they access a material (assuming they have paid for it):

  1. Copy the entire folder into their GUID folder if not there already
  2. Update the accessed JSON property

Then run a CRON job that deletes folders that haven’t been accessed for x minutes or were created y minutes ago. x could 60 minutes and y could be 360 minutes.

This might not be an efficient use of disk space but I think given that the site won’t be high traffic this will be fine.

Given the requirements do you think this is a decent solution — or too long-winded? Is there a simpler solution I’m missing?


is it sensible to put all files into a (zip-)archive?

The files are uploaded by the client as a zip but they don’t want them downloading in zip format; they want them to view them online to make it less likely they’ll store and redistribute them. Of course, if you know what you are doing you can download the individual files but most of the users won’t know how to do that.

Why not follow the same method for each of the files under the folder ? The users may view the folders but when they try to click on the individual files the authentication kicks in.