There is an existing open-source program out there that does this -- called (IIRC) "PHPFileNavigator". Might be worth a look. I've played with it a bit, and it seems to work nicely. Whatever you do, I agree that the best way to protect these documents from direct download is that they should be located outside the public HTML directory. Stephen On Oct 15, 2007, at 3:54 AM, iris wrote: > good morning everyone > > i've got a website that has a password protected members' area (php > login system). physically the content is all located within a / > members/ > folder. within this is a documents folder with word, powerpoint etc > docs which can be downloaded from within the members' area (i.e. > only if > logged in). > > however, if someone knew the exact location of a document > (http://example.com/members/docs/example.doc) they could get to them > without being logged in. > > how do i protect these documents from unauthorised access?