The easiest way is probably just to have a PHP script that requires the existence of a valid session (like the generator script does), whose function is to readfile("/path/to/contract.pdf");

That way, you can have your PDF wrapper script verify that the contract being downloaded is the RIGHT contract for the person in the sesion, not just that it’s a contract that is in the directory.

The problem with a .htaccess-based solution on the directory is that anyone with read access to the directory can download ANY contract.

Given a URL like http://example.com/contract.php?user=132&bill=1 you could:

<?php

$user = $_GET['user'];
$bill = $_GET['bill'];
# do input validation on $user and $bill.  No really, do it.

if ($user != $_SESSION['user']) {
  die("Security error; the black choppers are on their way.");
}

header("Content-type: application/pdf");
header('Content-Disposition: attachment; filename="Contract-$user-$bill.pdf"');

readfile("/path/to/pdfspool/$user/Contract-$user-$bill.pdf");

The if () chunk in the middle verifies that the $user being requested is valid for the current user. Obviously, you’ll want to store $_SESSION[‘user’], probably when this user first logs in.

Of course, you don’t NEED to keep spool files, really. If the process of generating a PDF isn’t going to overwhelm your web server (and if it does you have other problems), it may just be easier to re-generate each PDF from scratch, on request. That’s what I do with company invoices now, and each invoice gets a 6 point footer saying when it was generated and by a request from what IP address. 🙂