admin/.htaccess: RewriteCond %{REQUEST_FILENAME} !check_auth.php
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule .* check_auth.php?file=$0 [QSA,L] # pass everything thru php
admin/check_auth.php: $file = $_GET['file'];
if($_SESSION['user_authenticated']) {
// please mind you need to add extra security checks here (see comments below)
readfile($file); // if it's php include it. you may need to extend this code
}else{
// bad auth error
|