I have an access controlled app. Users with access can upload documents. Documents are stored in a folder called folder/number/file.ext
When a user is logged in, I send them to get-file.php?file_id=3431&id=33333
in get-file.php I check they are logged in and have access to the page and if so redirect them to www.example.com/folder/number/file.ext
Now the problem is that if you are not logged in you can see - www.example.com/folder/number/file.ext
How do I get around this pretty serious issue with sensitive info?