htaccess will be activated before the PHP engine. Hence you can't use this system when you need to check if a user is logged in or not.
The way to do this is to send only logged in users to a page containing a file list for download, and when pressing the link PHP will do the actual downloading of the file to the client, using the right headers.

Example from php.net

// We'll be outputting a PDF
header('Content-type: application/pdf');

// It will be called downloaded.pdf
header('Content-Disposition: attachment; filename="downloaded.pdf"');

// The PDF source is in original.pdf
readfile('original.pdf');

Eğer ortak klasörleri dışında koymak gerekir gerçek dosyaları, bu yüzden onlara doğrudan sörf kullanıcıların tehlikesi yok.

Itay cevabı eklemek için, yine bu dosyalara doğrudan erişimi engellemek zorunda. Bu yapılabilir

Deny from all

line in the .htaccess file,
But I'd rather place these files in a directory above document root.