I have created a Web site that has some PDFs that can only be seen by subscribers; there are 3 kind of subscribers (for the moment). Depending on their subscription, they can see or not the PDF. This is managed by the login control. However, the problem is that whenever you login, you can see the address for the PDF (such as http://www.mywebsite.com/allpdfs/0/acertainfile.pdf); you can pass on this address to a friend and if he clicks on the link then he can see the pdf. One solution is to put, on the private folder "allpdfs", an ASPX page that will check if the user is identified or not; if not identified then he will be redirected to a page to login, but if he is identified, then I make a copy of the requested pdf file into a public folder and redirect user to that copy to see it.
I don't like this solution, so if I want to show the identified user the original pdf file, then I have to set the access for the private folder "allpdfs" to anonymous which is bad (all users can then see it)!
My question is: how can I manage to show the original pdf file within "allpdfs" folder by not having to play with the Anonymous access property of that folder (virtual root)? Maybe there is a way that security is only handled by my ASPX page? I wonder how the other Web sites do it?
Try turning off ASP caching (Go to IIS\Home Directory\Configuration\App Options), restart your Web server, and test login control again. Re-enable ASP caching and decrease your session timeouts.
If subscription access to PDFs requires subscribers to manually authenticate then consider creating a separate folder for each subscriber, use NT authentication (not clear text), and assign a unique password for each dedicated folder. That way, even if a friend obtains the address, they will be required to authenticate in order to view PDF files. You will not need to move PDF files from a private folder to a public folder, since you have set up a dedicated folder (with unique password) for each subscriber.