I was wondering if anyone had suggestions on how to do this. I have a webserver to allow users to publish PDF files. The system is required to serve the same PDFs to a group of internal and a group of external users. The internal users should use basic auth going against an internal directory, and external via basic auth going against a simple htpasswd file. Both really need to see the same file because the users cannot handle uploading two variants of the same file. I got the above working with symlink magic, so basically have: doc_root |------------|------------| groupA groupB |- - - - - - - - - - - - - - - | file.pdf (^ symlink) and putting different auth configuration in groupA and groupB directories. Everythings good so far. Now users want the pdf files to contain hyperlinks to auxilliary content in the same directory, and I see problems. I do not seem to be able to use relative (to where the pdf file was) URLs in the pdf file. There seems to be varying support for that in programs I tried to create PDFs with links, but I think it is more basic than that. The pdf is going to be opened typically not in the browser itself but in a helper application, which seems unlikely to know that the file came from the web (much less what URL it was downloaded from), which would make it difficult to process a relative URL. Some direct experimentation supports this, as does having the link go to a cgi which dumps environment, etc --- HTTP_REFERER and anything else suggesting the cgi request was related to a previous request was not present. Although I would be glad if someone could prove me wrong, it also seems like this behavior would be very browser specific at best.. Since I cannot get users to create 2 versions of the PDF, one with the URL allowing access for groupA, the other for groupB. I am trying to see how a single URL can get access to the same extra file along the correct URL to get access. (Relative links would have been such a nice solution!) I thought about making the links in the PDF go to another cgi with some relative path information to the file desired, and have the CGI figure out based on the auth information which group of users submitted it (not entirely sure how, but seems moot now). But the CGI does not get ANY auth information unless I restrict access to the cgi via basic auth or similar, which means I must call the correct cgi script (or at least call the same cgi by correct path), which leads me in the same quandry. The best solution I can think of is to have something before the web browser loads the pdf file set a cookie indicating which auth method the user went through. The PDF link then goes through another CGI which checks for the cookie and redirects to the correct "extra file" via the correct path as based on the cookie. Only good things I see are that the cookie has no sensitive data; just determines if user came in as groupA or groupB. But otherwise seems to be a lot of overkill for what seems like it should be easier. Am I missing something simple? Does anyone have any less complicated scenarios?