I have used HTTP authentication through .htaccess files each time I have needed fast and dirty password protection for an entire directory (the majority of the occasions, to be able to hide third-party applications I install for individual use). Now I have written some PHP code to exchange local passwords with OpenID. That enables me to eliminate HTTP auth during my PHP sites. However, I am still trying to puzzle out a trick I'm able to use within non-PHP stuff (from third-party programs to random stuff).

Apache doesn't appear to aid authentication with custom scripts automatically (whatever I actually do, it will operate in my host company). That leaves the apparent solution of utilizing mod_rewrite to route everything though a PHP script that inspections qualifications and reads the prospective file but 1) it appears just like a performance killer 2) it'll hinder dynamic stuff, for example other PHP scripts.

I am wondering whether there's a method to optimize the router approach therefore the script need not send the file, or maybe I am looking over another approach. Any idea?

I believe your mod_rewrite approach could be the only method to do that - but rather than using readfile() (when i guess you're, according to that which you say about it will interfere with dynamic stuff, such as other PHP scripts) you can easily include() them, to ensure that raw files are written right to output and PHP code is performed.

You can utilize PHP HTTP-AUTH http://php.net/manual/en/features.http-auth.php

If OpenID is the thing you need consider use of mod_auth_openid for apache