Need advice on protecting members-only content
 

I've seen a lot of good advice here about protecting freely-available content (TGP, etc) from hotlinking. My problem is similar, but has to do with paid members-only content.

The reason I don't see the REFERER checking as viable in this scenario is because that client-supplied input is very easy to spoof.

Here's the scenario:
* I have a membership database
* I only want my members to access certain photo galleries

Seems like the most basic thing, right? So how do you folks get it done? How do you make sure that the only person who can get an image from a specific directory hierarchy is one of your members?

I have a couple of ideas, but they all seem to me like they're "warm" but not "quite there":

Solution 1: Keep the image galleries in a non-world-readable location (like one dir up from your webroot). Use mod_rewrite in .htaccess to mask this from the user, and when an image (or whatever) is requested, use server-side PHP to authenticate the user (by method of your choice), read the image from server-only directory and write it out to the client.

Solution 2: In a parent directory for all restricted content (movies, images, etc), use .htaccess to set the handler for those filetypes (jpg, avi, whatever) to something like checkauth.php. This file would then authenticate the user (by method of your choice), then read the requested file from server and write it out to the client.

But these are just my home-baked ideas, I'm curious about how it's done in the "real world".

Thanks!

Viktor

What about keeping the content in the same directory/structure as other members only (password protected) content?

If you really want to protect your member areas from hotlinkers, cheaters, hackers, etc. then you should be looking at the products on the market out there specifically designed to do this. Like:
PennyWize
StrongBox