How to Password Protect a Directory so all Files are Protected?

Report · Dec 18, 2007

Hello CFers and Happy Holidays,

I am moving a web site over from a Linux server over to a Windows 2000 server. The site was currently password protected via the oh so familiar .htaccess method on the Linux server. Now that the site is on IIS on Windows, the .htaccess files don't work.

I have created a MSSQL database with a users table that contains all of the username and passwords that are allowed to access the site.

Normally I would just log users in by querying the database, setting a session variable, and then using application.cfm to check to make sure the users is logged in. However, in this particualr site, most of the files are made up of .htm files which do not get processed by the ColdFusion application.cfm tag.

Several posts indicated that I would need to disable anonymous access within IIS and then create the individual user accounts within Administrative Tools > Computer Management > Users and Groups. However, in this case, I don't want to create thousands of new users within windows.

Is there a way for me to password protect all files within a directory while still using the accounts set up in my MSSQL database for authentication?

Thanks,
David Levin

Report · Dec 19, 2007

If you were delivering a single package, such as a zip, a pdf, or something to download, you could move the files outside of a web accessible directory and then deliver the files with cfheader and cfcontent.

Since you are trying to protect htm pages along with standard elements such as images, you have to protect at the IIS level. Since the built-in IIS authentication isn't going to do it for you, you need to look into ISAPI filters. Information is a little sparse, but there is a commercial solution that would lock down directories based on a database.

http://www.flicks.com/flicks/authx.htm

Report · Dec 19, 2007

> Several posts indicated that I would need to disable anonymous access within
> IIS and then create the individual user accounts within Administrative Tools >
> Computer Management > Users and Groups. However, in this case, I don't want to
> create thousands of new users within windows.

How many users did you have in your .htaccess config? That's how many
you'd need to set up in IIS. With IIS & file system permissions you're
effecting the same thing you would with Apache's .htaccess authorisation.
Except using GUI tools rather than text files; it's the same principle,
though.

Or... you could just install Apache and use that instead, sticking with the
approach you're used to.

--
Adam

Report · Dec 19, 2007

Adam, I would like to stick with IIS. There are thousands of user accounts so I would prefer to use MSSQL to store the accounts.

wigginton, thanks for your tip. That software package looks like it might do exactly what I need. Does that package use ISAPI filters? I wonder if it would be worthwhile to develop my own solution using ISAPI filters. From the description of the prodict it looks like you can create a bridge between IIS and MSSQL.

I'll do some more research on ISAPI filters and ColdFusion. Google hasn't yielded too many useful resources thus far.

Adobe Community

How to Password Protect a Directory so all Files are Protected?