Question is though, how do I protect the documents themselves from being accessed directly via the file location.

Say a file is uploaded to www.example.com/secretstorage/itsasecret.doc

I need a way to stop the user just bookmarking that location and going through the back door, so to speak, or worse – passing the URL on to others.

Of course I’ll disable indexing on the /secretstorage/ directory so they can’t just drop the document name and get a list of files.

I really want more than that though. In other simpler projects I’ve just used .htaccess to protect directories with usernames and passwords, and that’ a possible. I’d want to avoid users having to enter a username and password to get into the directory after they’ve already logged into the front end though. Is it possible to pass the username and password to the server somehow without the user having to enter it?

I know this maybe isn't strictly a php mysql question, but that's my main platform so thought best to pop the post here.

I may, of course, be barking up entirely the wrong tree method-wise – would appreciate any and all suggestions on ways to handle this.