A typical Over The Air link looks like
<a href="itms-services://?action=download-manifest&url=https://website.com/app/appname.plist">
Download App
</a>
The plist contains a link to the .ipa file found in the same directory on the website. If I want a user to be authenticated and authorized (ie: asp.net Identity 2.0), Over The Air will not work after downloading the .plist file because whatever Apple does, does not keep the authentication (cookie) from the browser. Apple's OTA process does not have access to the .ipa file referenced in the downloaded .plist file.
Any solutions to securely have these files available? I do not want the files open to anonymous internet users...