Background

I’m looking for a transparent, PHP-driven authentication layer for a web site.

I’m aware of the following simple approaches:

HTTP Authentication

Mechanics:

• Apache controls access rights;
• Attempts to access any file in a given directory transparently require HTTP auth if not already authed.

Downsides:

• Limited configuration options;
• Difficult to integrate with existing user database;
• No control over visual presentation of login prompt.

PHP-based login

Mechanics:

• PHP controls access rights;
• Attempts to access any file explicitly built for the system if not already authed will result in redirection to a login page.

Downsides:

• If I forget to write the required include "login_required.inc.php"; or similar at the top of any PHP file, that file will be accessible by anybody.

What I want

I’d like to implement the PHP-based login solution, but to somehow configure Apache to invoke login_required.inc.php (or similar) transparently as an intermediate step when any PHP file is requested.

This script will:

• run;
• check session variables;
• tell Apache either “yes, produce the requested page” or “no, redirect to the login page”;
• not require code to be inserted at the top of every PHP script that requires authentication.

Is this a pipe dream? Or can I do it? And if so, how?