An issue that I ran into is that opendir() could care less if you've got server authentication set on sub directories and so any such authentication is bypassed completely when accesses in this way. I did solve it for my application of a pretty file manager, by redirecting to all sub directories thusly:
$fdir = "./subdirectory_I_want_to_visit/";
if ($fdir != './') { //basically where we are or the parent
//redirect the browser to force authentication check on any subdirectories
header("Location: http://my.domain.com".dirname($_SERVER["PHP_SELF"]).substr($fdir,2));
exit;
} else {
$dir = opendir($fdir);
}