We have got a site (eg abc.com) that is built in classic ASP and hosted on IIS 6.0. We have got a content folder in IIS 6.0, which consists of static files like PDF or XLS. We came to know recently that in various search engines, direct links of our website (www.abc.com/content/xyz.PDF) to PDF/xls are getting displayed in the search results and any user can access those files directly. As these files should be accessible to only logged in users, what is the way of preventing the anonymous users from accessing those files directly. We are using cookie and database for authenticating a valid user. The actions we have taken so far are:-
1) Included robots.txt in our website and through various webmaster tools, prevented the listing of direct links in the search results but we don’t think it is the optimal solution.
2) In our website there were various functionalities, through which the links to direct access of PDF’s were used to show it to the user. That we have stopped by not showing the direct URL path to the user.
Questions: - As we are using IIS6.0 and classic ASP, is there any way to implement anything at IIS level to prevent direct access of PDF/XLS files. Like, if the user types ‘www.abc.com/temp/xyz.PDF’ or the url consisting of .pdf/.xls should be intercepted by our asp or any other page first for the authentication(to check the user is logged in or not) and based on that it should allow to open.