In my virutal directory,there is a subdirectory ,which holds some files that allow others to download,but if one want to download the file ,he must login first.after that ,he can use my programe to query the file and find it ,then download it .but if he knows the file Url,he can bybass the process.for example ,one of my file living in "File" subdirectory,with the name is file1.doc.he can download by send the request http://myserver/file/file1.doc ,then the file file1.doc will be downloaded by him. I add a section in my web.config file .it likes this: when someone want to get the file in Files directory,the class CheckSession will checck him if he has the right to do .but the class doesn't work. and i find ,if i take a aspx file in the directory,it works well. buy why ?who can help me ? thank you!