Nima, Malte,
I think the "best" way is as Malte suggests. Make PHP a first-class language inside OpenACS as much as possible.
However, the "quick" way is to write a small bit of PHP code that talks to the database and essentially mimics what OpenACS does.
Since the SQL queries are the same, you need only figure out how to code the test for being logged in or not in PHP. You should be able to use the cookies information sent in the header.
Then, put all this functionality in a single .php file. Tell your internal users that all they need to do is to include this file in the beginning of their PHP scripts for each script that needs to be protected.
I seem to recall that there is a way in PHP to automatically run a PHP script before running the asked-for script, but I cannot seem to locate the URL.
