HTTP authentication and PHP authentication

I’m making a members area for my site and I have it already running. I authenticate members using mysql and php and this works really well.

But now problems occurs, I would like to offer members a possibility to upload files to the systems, and those files should be available ONLY to logged in members.

I know I could store those files to a database or even in a filesystem and serve them throught php, BUT this will get very heavy for the server when members upload bigger files. Those files might be even 20MB or even bigger.

I was thinking to use plain HTTP auth to protect those files, but is there any way to integrate that .htaccess protection to my current auth system (php+mysql), so users would not need to log in twice to get access to the uploaded files? Even javascript solutions would be fine, if it is possible…

Yeah I ment I wouldn’t want to store full files in a database.

And also I wouldn’t want to store the files outside of a www-root or htaccess-forbidden folder, since it would be quite a performance hit if those files were served with php. I know the upload process with php will be a performance hit too, but it is ok since uploads are quite rare. BUT serving the files happens very often.

I think even a simple solution would be ok, something like when an user logs in, the same time php/javascript etc. would set a http-auth cookie to the users browser. And then when the user downloads files, hes browser is already authenticated with the http-auth, so it wouldn’t prompt a login in screen. And it would be perfectly ok that there were only one username/password combo on the htaccess authentication. Every member would log in to the htaccess protected folder with the same credentials. It is basically just to keep non-members from getting those files.

I’m just not sure how to techically implement this.

Let’s throw one thing out right off the bat, though i’m not sure it’s what you meant: You don’t want to store files in a database. Filenames? Sure. Full files? No. No no. No no no.
HTACCESS operates outside of PHP’s scope.

Step 1 is getting the files onto the server. PHP tends not to like big files; another solution may be needed there.

Step 2 is serving them back. Use PHP to serve the files to the browser, and lock the directory using htaccess to prevent people from getting access to them directly.