Protecting folder using .htpasswd, but allowing php download while protecting password

Question

I have password protected a folder using .htpasswd and .htaccess that contains digital assets that I want to control the downloading of using php.

I was planning on offering a download link using the mechanism:

http://username:password@www.website.com/directory/

However, I don't want people to have access to the username and password. In other words I want to make a php gateway file with a different url that decides to offer the download or not, based on information available in the database.

This is a security thing, so I'm not confident of where to start with this. I'm sure I could hash together some code but I'm not confident about it. How can I do this securely? Any help greatly appreciated.

Answer 1

If you have the technical possibility I would suggest you even store the assets outside of the web accessible folders so you don't need to rely on htaccess for protection. That way your PHP gateway script is the only way to access those files.

I won't go into details about writing the script itself, there are multitudes of ways to do that and it very much depends on your requirements what is best, so more information would be needed to give some advice to that. If your assets are very big then streaming them through your script might not work due to memory/time limitations, in that case you could symlink them from the safe location to a public location with a randomly hashed path/filename for a limited time and give that link out.