The solution will depend on how you provide access to the static PDF files. Are the files served by FoxWeb scripts, as described in the Returning Non-HTML Content section of the Returning Content to the Browser page? If yes, then there's no problem. Just move these files to a different folder that is not accessible directly through your web server.
If on the other hand you link directly to the files, then you can't use the same authentication as you use for FoxWeb. In this case you either need to modify your code to serve the files through FoxWeb scripts, or you hide them behind randomly generated file names. Security by obscurity is generally a very bad idea, but it may be OK, depending on how sensitive the data you are trying to protect is. The problem with using these random names is that somebody with access could note the URL and pass it to an unauthorized person, or even worse post it somewhere, in which case web crawlers, including search engines, will discover them. You can control this to a certain extent with a robots.txt file, but do not rely on such a solution for truly confidential data.
FoxWeb Support Team
Sent by Art Bergquist on 05/03/2019 10:01:36 PM:
This afternoon, we discovered that someone had Google-d (it may have been a Googlebot) and ended up being able to access a .PDF file that is supposed to be accessible only after you log in to the non-anonymous part of our website.
Is there a way to prevent access to .PDFs in the non-anonymous (i.e., userid/password -protected) part of the website?
I have read through the Session Management FoxWeb web page and have protected all .FWx files in the non-anonymous part of the website from being directly accessed.
I'm trying to figure out, though, how to prevent direct access to .PDFs in the non-anonymous part of the website.