• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Restricted access to non cf files using cf

Community Beginner ,
Jul 06, 2009 Jul 06, 2009

Copy link to clipboard

Copied

I have a question that its answer may be interesting and usefull for many CF developers. Here it is.

I have a site, and I have a folder where access is restricted and I have a login page asking for user name and password. As usually I chech these access data in my database and I give or give not access to the content of this folder. Nothing special until now.

Let's suppose

The root folder of my site is        C:\MySite

The restricted access folder is    C:\MySite\MembersFolder

In the root folder I have the login page   C:\MySite\login.cfm

In the restricted access folder and its subfolders I have various CF pages e.g.

--   C:\MySite\MembersFolder\page1.cfm ,

--   C:\MySite\MembersFolder\folder2\page2.cfm  etc

Whenever someone logs in successfully I keep a session variable with his name, userid etc blah blah. So whenever someone tries to access a restricted access page e.g   C:\MySite\MembersFolder\page1.cfm  I check if there is or there is not the session variable of his access. If the session variable exists I give access, otherwise I send him to the login page. Again nothing special. Just typical proccess.

My question is.

All the above can restrict access to any CF page in the folder  C:\MySite\MembersFolder

BUT what about any other content in this folder e.g PDF, jpg, doc files etc ?

Because someone not logged in can just write in his browser:  http://www.MySite.com/MembersFolder/MyBook.pdf  and can get the PDF file without loggin!!!

Any idea how can I restrict access to any kind of content (htm, cfm, pdf, jpg, doc xls etc) using coldfusion ?

(Well I know I can store these kind of files in binary fields of the database.... instead of storing them as files, but I don't think it's realistic. These files pdf, doc, tiff, xls can be many Mb and it's not realistic to read these huge files from the database in middle or high traffic site.)

So any other idea?

Thanks in advance for your response.

KianX

TOPICS
Advanced techniques

Views

1.2K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jul 06, 2009 Jul 06, 2009

Copy link to clipboard

Copied

Well, one standard response to this is to put those document files that are not CF into a directory outside the webroot, and then having a CFM page that can be used to access them, returning them using the cfcontent tag.  This will add overhead, as a CF thread is not handling sending those documents out, but you are restricting access to them successfully.

Have you used cfcontent before?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jul 06, 2009 Jul 06, 2009

Copy link to clipboard

Copied

Thank you Joe for your answer. Yes I have used cfcontent before when having stored pdf files in binary fields of a database. The traffic there was low and I had no other option.

About your idea to store these non-CF files in folders out of the root of the site well it's close to the idea of binary fields of the db, because and in this case I will have to read (load) all these files in a CF variable using CFFile and then to present them using this variable in the CFContent. In both cases I will have to load huge volume of data in CF variables. Could this be avoided ?

Thanks anyway.

KianX

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Valorous Hero ,
Jul 06, 2009 Jul 06, 2009

Copy link to clipboard

Copied

1) The cfcontent tag has a file property that allows you to server up files directly without having to load the contents into a variable.

2) But if you really want security of all web content, the web server has better tools to secure everthing going through it, rather then the applicaiton server.  You would need to dig into the capabilities of your web server of choice.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jul 06, 2009 Jul 06, 2009

Copy link to clipboard

Copied

LATEST

Well, if you use the file="" attribute of cfcontent you don't have to

'load' them first. Example:-

<cfcontent type = "application/pdf" file = "/my/dir/outside/root/hidden.pdf" deleteFile = "no" reset = "yes">

I'm not completely sure how much load this will mean, but it 'should'

just pass the file through it (your security logic goes before it

obviously).

Why not try an example of it on a large file - time it just from

downloading it in the browser, and then via this mechanism - just to get

a feel for it? It will consume a CF thread for the download, but ther

will be no 'load' step afaik.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation