I'm currently developing a site in kentico 5.5, and one of the requirements is to create a list of resources (documents and files). Each resource can have a security requirement where the user needs to enter a clientid, which is checked against a non kentico table, and granted or denied access accordingly.

I'm listing the resources on a page in a repeater. For simple documents, I'm using pagemethods to check if the resource requires a clientid for verification. If so, it unhides a div, containing a clientid field and a submit button. When the user hits submit, it checks against the database, and if valid, sets it to a session variable, and redirects to the resource, which then does it's own check for the clientid session (in case someone manually types in the address), and then allows access.

The problem exists when the resource is a file, i.e. a word document, pdf, etc...

My initial check works, and it won't redirect if they don't have a valid client ID. However if you just check the source and copy result of getfileurl and paste into the browser, it opens the file.

How can I add the same security check to the getfileurl page, so that it won't open the file if the clientid doesn't exist in the session variable?