How to prevent external users from viewing document files

Question

I've built an online system that allows users to download PDF files using ColdFusion. Users have to log in before they can download the files (PDF & Microsoft Office documents). (This application is only for our company staff.)

However, only today I found out that anyone with internet access can view the files. With only certain keywords such as 'Medical Form myCompanyName' in a Google search, they can view the PDF files using the browser.

How can I prevent this?

UPDATE
this is what my problem is. i've created a folder for all of the PDFs file. each of the files is called using ID from database. if let's say a user wanted to view Medical Form, the link would be: http://myApplication.myCompanyName/forms.cfm?Department=Account&filesID=001.

if the user copy this url & log out from system, he/she will not be able to view this file.(login page will be displayed)

However, without the url, other internet users sstill can view the pdf files just by search it on the net, and the search engine will gives a link that direct it to the folder itself, without having to login.

Example: Medical Form's pdf file is stored in a folder named Document. when an internet user search for Medical Form, the search engine will link it to: http://myApplication.myCompanyName/Document/Medical%20Form.pdf

we have lots of PDF files in this folder and most of it are confidential, and for internal view purpose only. in php, we can disable this by using .htaccess. i'd like to know if there's anything like this for coldfusion?

Answer 1

You can send files through the code with single line like this:

<cfif isAuthorized>
    <cfcontent file="/path/to/files/outside/of/web/root/Form.pdf" type="application/pdf" reset="true" />
</cfif>

ColdFusion FTW, right.

Please note that handling large files (say, 100MB+) may cause some problems, because files being pushed to RAM before sending. Looks like this is not correct any more, as Mike's answer explains.

Another option is to use content type like x-application if you want to force download.

UPD

You want to put this code into the file (let's say file.cfm) and use it for PDF links. Something like this:

<a href="file.cfm?filename=Xyz.pdf">Download file Xyz.pdf</a>

file.cfm:

<!--- with trailing slash --->
<cfset basePath = "/path/to/files/outside/of/web/root/" />

<cfif isAuthorized AND StructKeyExists(url, "filename") 
      AND FileExists(basePath & url.filename) 
      AND isFile(basePath & url.filename) 
      AND GetDirectoryFromPath(basePath & url.filename) EQ basePath>
    <cfcontent file="#basePath##url.filename#" type="application/pdf" reset="true" />
<cfelse>
    <cfoutput>File not found, or you are not authorized to see it</cfoutput>
</cfif>

UPD2

Added GetDirectoryFromPath(basePath & url.filename) EQ basePath as easy and quick protection from the security issue mentioned.

Personally I usually use ID/database approach, though this answer was initially intended as simple guidance, not really compehensive solution.