I've been using HTTP authentication through .htaccess files every time I've needed quick and dirty password protection for a complete directory (most of the times, in order to hide third-party apps I install for private use). Now I've written some PHP code to replace local passwords with OpenID. That allows me to get rid of HTTP auth in my PHP sites. However, I'm still trying to figure out a trick I can use in non-PHP stuff (from third-party programs to random stuff).
Apache does not seem to support authentication with custom scripts by default (whatever I do, it should work in my hosting provider). That leaves the obvious solution of using mod_rewrite to route everything though a PHP script that checks credentials and reads the target file but 1) it looks like a performance killer 2) it will interfere with dynamic stuff, such as other PHP scripts.
I'm wondering whether there's a way to tune up the router approach so the script does not need to send the file, or if I'm overlooking some other approach. Any idea?
