I am writing a website for a community that has a protected page on it. You can view the other pages, but when you try and access the “FTO Documents” it asks you for a password which works great. There is just one issue, if you know where the systems directs you if you get the password right, you can just plug this into the URL and get to the hidden page no problems. Any suggestions?
The solution is to not make private resources publicly available. Each of the resources must have its own authentication check and reject all invalid requests.
The concrete implementation depends on how exactly your password check looks like. Are you talking about HTTP Basic Authentication? Some PHP-based log-in form written by yourself?
As mentioned, private documents should be behind the public directory and served when they are needed and authorization has passed.