I have been using htaccess security for a while but was dismayed to find recently that an innocent mistake by one user allowed an unintended breach by another. One user had emailed a page from a secured directory to a friend to illustrate something or other. There were active links to urls within the secured direcory on that page. When those links are clicked from the email the linked page is actually displayed with the request for user authentication poping up over the top. By simply cancelling the authentication popup the submit button on that page which is displayed can be actioned. It appears as though any requested page in the secured directory is displayed before the authentication pop-up is actioned. This is not normally an issue for my site as the first page in the directory is normally a redirection page which displays nothing. Surely this is not how htaccess security is intended to work. What can I be doing wrong and how can I really secure my pages from un-wanted actions.