I think what he's saying though.. is even if you do use the authenticate() function... if a user knows the exact URL, then can still get the file, whether authenticated or not.
For example.. say you have to login to use the chat. Granted, that stops 95% of the people from getting access to anything... but, for the smarter people, if they really wanted a file out of the /chat directory, they could try and type in the URLs in their browser until they got it right.
I guess this was brought up over at photopost as well, because typically, if you have a private gallery that you can't see unless logged on, or a certain member, then others can't gain access to it. But.. unless the directory has .htaccess setup, users could still type in the URL of those "protected" images and retrieve them.
But.. the problem is when you use .htaccess, it will prompt you for another login box, even if you are already logged into threads or likewise. So I think the ultimate goal here is to have the threads login information be passed to .htaccess so the user doesn't have to login again, yet the directory contents are as secure as possible.
