Why not have the content be outside the webserver directory, and then have a php script that can validate if the person should see it, and then send it to them.

So, you have getcontent.php, and you can look at a cookie, or a token that was given to the javascript page and it uses to do the request, and then it will just fetch the real content, set the mime types and stream it to the user.

This way you can change your logic as to who should have access, without changing any of the rest of your application.

There is no real difference to having http://someorg.net/myimage.gif and http://someorg.net/myscript.php?token=887799&img_id=ddtw88 to the browser, but obviously it will need to work with GET so a time limited value is necessary as the user can see reuse it.

I would drop this idea because there is no secure way to do it.

Your server will never be able to tell apart a "real" Ajax request from a "faked" one, as every aspect of the request can be forged on client side. An attacker will just have to look into a packet filter to see what requests your page makes. It is trivial to replicate the requests.

Any solution you work out will do nothing but provide a false sense of security. If you have data you need to keep secret, you will need to employ some more efficient protection like authentication.

Make a temporary time-coded session variable. Check the variable in the php output file before echoing the data.

OR, if you don't want to use sessions.. do this:

$key = base64encode(time().'abcd');

in the read file: base64decode explode by abcd read the time. Allow 5 seconds buffer. If the time falls within 5 seconds of the stamped request. You are legit.

To make it more secure, you can change your encrypting / decrypting mechanism.