I would consider using a PHP loader to handle authentication and then return the files you need. For example instead of doing <img src='picture.jpg' />
Do something like <img src='load_image.php?image=picture.jpg' />
.
Your image loader can verify sessions, check credentials, etc. and then decide whether or not to return the requested file to the browser. This will allow you to store all of your secure files outside of the web accessible root so nobody is going to just WGET them or browse there 'accidentally'.
Just remember to return the right headers in PHP and do something like readfile() in php and that will return the file contents to the browser.
I have used this very setup on several large scale secure website and it works like a charm.
Edit: The system I am currently building uses this method to load Javascript, Images, and Video but CSS we aren't very worried with securing.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…