What about redirecting the user to a password protected subfolder?
.htaccess
RewriteCond %{HTTP_COOKIE} !BadHorsie=secret_cookie_keyRewriteRule ^(pretty/url)$ /protected/login.php?url=$1 [R=307,L]protected/.htaccess
AuthUserFile /usr/www/{YOUR_PATH}/protected/.htpasswdAuthGroupFile /dev/nullAuthName "Protected"AuthType Basicrequire user BadHorsieprotected/.htpasswd
BadHorsie:$apr1$fFbaaVdF$Q5ql58g7R4qlpMUDb/5A0/protected/login.php
<?phpif (isset($_GET['url']) && $_GET['url'] && $_GET['url'][0] != '/'&& strpos($_GET['url'], '//') === false) { setcookie('BadHorsie', 'secret_cookie_key', 0, '/'); header('Location: /' . $_GET['url'], true, 307); exit;}?>What happens
- User requests
example.com/pretty/url - 307 redirect to
example.com/protected/login.php?url=pretty/url - login
- on success: user obtains session cookie with secret key
- 307 redirect back to
example.com/pretty/url - User obtains secret content
Note: Of course the "session cookie and back-redirecting"-mechanism is fully optional. Finally you could serve your secret content directly through protected/login.php. I showed this way only for inspiration.
Optional: Do not use PHP and set the cookie through .htaccess.