Typically, the best way to secure downloadables is to have them stored above the web root, thus not being directly accessible by the browser. Then when an authnticated user wants to download one, you provide it to them progrmatically
Here is a rough example <a href="download.cfm?file=abc.pdf">Click To Download</a> download.cfm <cfheader name="content-disposition" value="attachment;filename=#url.file#"> <cfcontent type="text/plain" file="d:\sites\mysite\pdfs\#url.file#" deletefile="No"> -- Alan Rother Adobe Certified Advanced ColdFusion MX 7 Developer Manager, Phoenix Cold Fusion User Group, AZCFUG.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325047 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4