Thanks again Rick for your suggestions.

I did thought of doing it in one of two ways you've mentioned but wanted to see if someone can come up with something simpler (I'm lazy).

Dynamic generation would require having the ability to create PDF using PDF Writer that I'm not sure our ISP is willing to install and support. It would be different if it was our own server but...

Using "hard to guess" PDF names like using GUID or long obscure names stored in the DB might be most-likely alternative if I can't find a better one.

Thanks again.

>John,
>
>I see what you're getting at. I wasn't thinking along the lines of someone hacking the URL. Two things come to mind: one would be to use random names for the PDF's, so it would be hard to guess another valid one. If you're using VFP then SYS(2015) might be a candidate for this, or you could use a GUID if you want to make it even tougher. This would be transparent to the user if they're requesting these documents through a link instead of directly by name. The second thing would be to generate the PDF's upon request and delete them after a pre-determined interval of time. That way they're only there for a few minutes (or however long you decide), which reduces the amount of time somebody else could find one even if they did guess a valid file name.
>
>Does this get closer to what you're looking for?
>
>-Rick
>
>>Thanks Rick but I don't see your proposed solution solving the original problem of restricting access to specific PDF files. For instance, let's say the system was able to validate a vendor/PDF match and allows a vendor to view a specific PDF file with following url www.mywebsite.com/pdf/19493.pdf.
>>
>>What's to say this vendor can not simply retype the url with different pdf like www.mywebsite.com/pdf/123456.pdf and pull up a pdf that might exist?
>>
>>Having said this, there must be a way to password protect a whole subdirectory and have server-side only access to it like supplying the password in an ASP page that can't be seen by the browser of the user.
>>
>>>>We would like to post purchase orders converted to PDF files for viewing/printing by our vendors via our web site. However, how do I protect these files for access by only those "applicable" vendors for each P.O.?
>>>>
>>>>I guess my question is how do you dynamically allow/restrict access to specific files on the web server. TIA.
>>>
>>>Here's one way: Put the PDF file names in a database along with the vendor ID for each one. Require the vendors to login to your site. Once you have validated the vendor login and know who it is, you can dynamically generate a page that contains links only to the PDF files that belong to that particular vendor.