or make a subdirectory and put a file into it called ".htaccess" that contains the single line "DENY FROM ALL". Your script can, after checking the user's authentication, open any file inside that directory, then send a http header to the browser, followed by the contents of the file.