I have about 800 customers. I have prepared an online bill for each of them, which are actually PDF files.
I set up a php script, which asks for a user name and password, then gives the customers the necessary link to access the PDF bill.
That worked fine, until someone pointed out that all the PDF files are accessible, all you need is to know its name. Quite easy as the filename is "A/c No.pdf". Whoops.
My question is what should I have done to only allow access to the customers own bill?