protect downloads

First off, thanks to everyone who helps out on this board! Much appreciated!

My site has audio files available for download. Currently, these files are available over http. In general, my bandwidth could EASILY skyrocket to over 40 GB/mo, but I have limited the links to the files to keep it around 15. My question is: how can I protect FILES - not pages. Here were my thoughts.

1. Hide the files in a dir with a funky name (maybe like 232424231) directory and make a page kinda like this:

if (empty($songid)) {
echo "Please don't try to sneak around this!";
}
else {
header(Location: /obscure/path/to/audiofiles/$songid.mp3);
}

2. Put the files outside of my web folders and call them in a URL (will this work?) ie
<a href=getsong.php?songid=xx>song name</a>
where getsong.php is like the above file. This way the only way to access the files is with a link. On top of that, I set a cookie using a login, getsong.php will check for it, and if you don't have a cookie, it will boot you to index.php.

OR:

3. Is there a way to protect a directory (or actual files) USING PHP?

Eventually I really want to limit downloads to 5 per day. And if that's not enough of a pain in the ***, I'd prefer to stay away from using databases at this point.

Any one have any thoughts?

firsttube.com

Well, your option #2 sounds like a viable plan to me. I wouldn't go with option #1 because even though it is not a common directory name, all that needs to happen is one person to see it and then distribute the path to the file around. With option #2, you are setting a cookie and then checking for it with a script which will protect you from unauthorized downloads. It also puts you one step closer to the five downloads a day thing you wanted....

Well, I used phpUserLogin by one of your affliiates, OxyScripts. I have to say, I wish they had spent more time writing clean HTML because cleaning up the page SUCKED! You can see it here though: firsttube.com/archives. I'm convinced it's pretty unbreakable unless someone hacked the server. ANYWAY, I'm going to try out your authentication script - seems like it might be more flexible.