PHP: How can I block direct URL access to a file, but still allow it to be downloaded by logged in users?

Into folder members create new folder files, move here all your songs, create new .htaccess file and add the following lines:

Order Deny,AllowDeny from all

Into folder members create file get_song.php and add the following code:

if( !empty( $_GET['name'] ) ){  // check if user is logged      if( is_logged() )  {    $song_name = preg_replace( '#[^-\w]#', '', $_GET['name'] );    $song_file = "{$_SERVER['DOCUMENT_ROOT']}/members/files/{$song_name}.mp3";    if( file_exists( $song_file ) )    {      header( 'Cache-Control: public' );      header( 'Content-Description: File Transfer' );      header( "Content-Disposition: attachment; filename={$song_file}" );      header( 'Content-Type: application/mp3' );      header( 'Content-Transfer-Encoding: binary' );      readfile( $song_file );      exit;    }  }}die( "ERROR: invalid song or you don't have permissions to download it." );

And now, you can use this URL to get the song file:
http://mysite.com/members/get_song.php?name=my-song-name

The only thing you can do for this via .htaccess is require a referer that comes from your site, and it is NOT secure. it is beyond trivial to forge a referer and anyone could suck your site dry.

The ONLY way you'll be able to have only logged-in users download the file is by placing the file OUTSIDE of your webroot and having a PHP script mediate access. In short:

if (is_logged_in()) {   readfile($name_of_file);} else {   die("Access denied");}

Are you using a scripting language such as PHP to handle your website? if so then the best way is to create a script that handles "delivery" of the content. Save the content in a protected directory, ie above your http or www folder. Then when the user is logged in, the link to your content would look like this:

http://yoursite.com/listen.php?song_id=xxx

the script will locate the required song by the id and then present the data to the user