whereas a regular web-surfer, finding the link, will try to download
> it, but will be blocked/ be asked to authorize himself. The way I've seen this achieved is to store the files in a directory below the web root (public/) so the they're not directly accessible. Then have a controller that receives and authenticates the request for a file, opens the physical file and streams it to the browser sending the correct headers. There are obviously performance issues to consider with this method.
The other way is to use htaccess to protect the directory, but that will depend on your set up.
Hope that helps,
Steve