How can I prevent non-logged in users from accessing PDFs/DOCs/Etc.

I inherited various web clients from another developer many years ago.  One client site, that's probably over 8 years old, has some serious security issues.  Recently, a PDF that they thought was only accessible through the client's login, showed up on a Google search, and opened just fine. Since they assumed these could only be accessed when their client's logged in, they're understandably freaking out.

I plan to add SSL so that, at the very least, their login codes are encrypted, I've also added a robot.txt file so they won't index them anymore; however, what is the best way to prevent anyone from entering www.domain.com/pdf/filename.pdf into the browser to view these documents?

The host told me that I'd have to secure that directory with a password, meaning they'd have to log into their account, then add another username/password to open any of these files.  I can't believe this is the answer.  So, I'm coming to you brilliant folks.

Any ideas for how to assure this client that their private documents are private?  Let me know.  Thanks.
StellaBobAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GaryCommented:
The best security is to have the file outside the root of your site so they are not directly accessible at all
Then when someone needs to access them you can stream the file to them (of course checking they are logged in).
While the file is not publicly accessible it doesn't prevent your server side code accessing it.
Usually your user permissions would extend to one folder above your root, this would normally store other things like webstats etc.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave BaldwinFixer of ProblemsCommented:
There is no easy answer to your question.  Gary's response is a good one but it requires you to rewrite the code that accesses the files.  It also assumes that you have access above your web root directory which is not true on most shared hosting.
GaryCommented:
@Dave
Most shared hosting will give you FTP to a parent folder above your root as this is where your stats etc will be stored - well it has always been the case for me when I have used shared hosting in the past.
StellaBobAuthor Commented:
This particular host does allow access to the parent folder above the root.  Let me see what I can do there and I'll let you know.  Thanks.
StellaBobAuthor Commented:
While I haven't figured out how to code this, I believe this answer would be the best option for me.  Thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Servers

From novice to tech pro — start learning today.