I have an ASP.NET website serving up private PDF documents. The PDFs are stored unencrypted on a share on the internal network. The user logs in and navigates to the download page. The web server validates that the user has access to the file, loads it from the share and transmits it in the response.
Is this the "right" way, a secure way to deliver these documents? For instance, if the PDFs were stored in a directory on the website itself, that would be a bit time security risk. As I mentioned, they're not in the website directory. But what else should I be aware of with this setup to keep these documents secure?