I have a page that can only be accessed by users who are logged in. On this page are links to pdf files. The problem I have is that while the page is secure the actual files are not. A user can type in the url to the file and download the PDFs without being logged in. One option I know is to protect the directory however this will prompt the user to enter another login. Another option I thought of is to place the files in a directory not viewable by the web such as where I may have
and www is where the site lives. Can I place the files here:
If that is the case I am not sure how I can access the files from http/downloads
Is there a better way to accomplish this?