I am working on an ASP web site that requires a user to sign in, uses session variables, and every page check to verify that they have access to that page.

The problem - Many of the files in the site are Word, PPT, or PDF files. How can I protect these files from unauthorized downloads? Right now, if I knew the path to a specific file (doc, ppt, pdf), I could type in that URL, go straight to the file without any login required, and download the file.

How do I patch this backdoor? I know there are several possible solutions. Password protecting the directory is not an option due to the size of the web site, number of files, and the number of users for the site.

Any other suggestions???

I'm not sure as to how exactly it would work but I would approach that problem by storing the Word, PPT and PDF files in a database as binary and then creating the files as required from the database. It's something I've heard of others doing but I haven't done it myself.