i have installed mod_auth_mysql to protect apache folder:
php script to do:
create a table users with these fields:
user, password, access_until
1-user can access protected folder if user/pass from mysql is correct and if field access until(datetime field) value is not expired i mean if today is 20/10/2008 20:10:10 and for this user access_until field value is 20/14/2005 10:10:10 we don´t allow user access it doesn´t matter if user/pass were correct.
2-if user/pass/datetime is ok we redirect user to [url removed, login to view] in the protected folder,
apache server(no php script) has to force to redirect user to that page.
2- if user tries to get access has 3 times to enter user/pass if not valid apache (no php)redirects user to a php page([url removed, login to view]) in another folder .
3- create a table ip, we add ip values
4- when user tries to access to the protected folder with mod_auth_mysql if we detect that his ip is in our ip table of ips addresses we allow access to [url removed, login to view] without login(apache redirects user to [url removed, login to view]).
5-when allowed user is in [url removed, login to view] into protected folder we create a php session and a session var logged=true and is redirected to [url removed, login to view],
included into [url removed, login to view](for example require_once ("[url removed, login to view])) we check that php session exists and logged=true.
6-apache server has to check that user has valid php session while he is in the protected folder in [url removed, login to view],
use mod_rewrite or do it like you want but it has to be apache who controls that php session var logged=true,
if we detect from apache/php session var user has not a valid session var logged=true we redirect user to a php page([url removed, login to view]) in another folder if there's a valid session we don´t do anything.