PHP: How can I block direct URL access to a file, but still allow it to be downloaded by logged in users?

Question

I have a website where users should be able to log in and listen to a song (a self-created mp3). I want to make it so the logged in user can listen/download/whatever, and t

Answer 1

The only thing you can do for this via .htaccess is require a referer that comes from your site, and it is NOT secure. it is beyond trivial to forge a referer and anyone could suck your site dry.

The ONLY way you'll be able to have only logged-in users download the file is by placing the file OUTSIDE of your webroot and having a PHP script mediate access. In short:

if (is_logged_in()) {
   readfile($name_of_file);
} else {
   die("Access denied");
}