Copy link to clipboard
Copied
I have a question that its answer may be interesting and usefull for many CF developers. Here it is.
I have a site, and I have a folder where access is restricted and I have a login page asking for user name and password. As usually I chech these access data in my database and I give or give not access to the content of this folder. Nothing special until now.
Let's suppose
The root folder of my site is C:\MySite
The restricted access folder is C:\MySite\MembersFolder
In the root folder I have the login page C:\MySite\login.cfm
In the restricted access folder and its subfolders I have various CF pages e.g.
-- C:\MySite\MembersFolder\page1.cfm ,
-- C:\MySite\MembersFolder\folder2\page2.cfm etc
Whenever someone logs in successfully I keep a session variable with his name, userid etc blah blah. So whenever someone tries to access a restricted access page e.g C:\MySite\MembersFolder\page1.cfm I check if there is or there is not the session variable of his access. If the session variable exists I give access, otherwise I send him to the login page. Again nothing special. Just typical proccess.
My question is.
All the above can restrict access to any CF page in the folder C:\MySite\MembersFolder
BUT what about any other content in this folder e.g PDF, jpg, doc files etc ?
Because someone not logged in can just write in his browser: http://www.MySite.com/MembersFolder/MyBook.pdf and can get the PDF file without loggin!!!
Any idea how can I restrict access to any kind of content (htm, cfm, pdf, jpg, doc xls etc) using coldfusion ?
(Well I know I can store these kind of files in binary fields of the database.... instead of storing them as files, but I don't think it's realistic. These files pdf, doc, tiff, xls can be many Mb and it's not realistic to read these huge files from the database in middle or high traffic site.)
So any other idea?
Thanks in advance for your response.
KianX
Copy link to clipboard
Copied
Well, one standard response to this is to put those document files that are not CF into a directory outside the webroot, and then having a CFM page that can be used to access them, returning them using the cfcontent tag. This will add overhead, as a CF thread is not handling sending those documents out, but you are restricting access to them successfully.
Have you used cfcontent before?
Copy link to clipboard
Copied
Thank you Joe for your answer. Yes I have used cfcontent before when having stored pdf files in binary fields of a database. The traffic there was low and I had no other option.
About your idea to store these non-CF files in folders out of the root of the site well it's close to the idea of binary fields of the db, because and in this case I will have to read (load) all these files in a CF variable using CFFile and then to present them using this variable in the CFContent. In both cases I will have to load huge volume of data in CF variables. Could this be avoided ?
Thanks anyway.
KianX
Copy link to clipboard
Copied
1) The cfcontent tag has a file property that allows you to server up files directly without having to load the contents into a variable.
2) But if you really want security of all web content, the web server has better tools to secure everthing going through it, rather then the applicaiton server. You would need to dig into the capabilities of your web server of choice.
Copy link to clipboard
Copied
Well, if you use the file="" attribute of cfcontent you don't have to
'load' them first. Example:-
<cfcontent type = "application/pdf" file = "/my/dir/outside/root/hidden.pdf" deleteFile = "no" reset = "yes">
I'm not completely sure how much load this will mean, but it 'should'
just pass the file through it (your security logic goes before it
obviously).
Why not try an example of it on a large file - time it just from
downloading it in the browser, and then via this mechanism - just to get
a feel for it? It will consume a CF thread for the download, but ther
will be no 'load' step afaik.