restrict users from downloading files

Report · Apr 23, 2007

Easy one I think, just not sure how to implement

I have a login area for our distributors on our site. Within this section
there is sensitive documents (price lists, etc) available for download.

I have a documents.cfm page with all the relevant links to the documents.

At the top of my documents.cfm page I have code that verifies that the user
has logged in. This would prevent "general" users from accessing the page.

<cfif isdefined("client.access") AND client.access EQ "YES">
<cfset client.timeout= now()+ #CreateTimeSpan(0, 0, 30, 0)#>
<cfelse>

<cf_tags_location url="<cfoutput>#client.URL#</cfoutput>/logout.cfm"
addtoken="no">
</cfif>

My question is that in theory a user, if they knew the direct url of the
excel document they could type it in and get around my security. eg,
http.www.mysite.com/documents/pricelist.xls

How could I stop this without putting file permissions on my web server
folder? Would I have to set up some type of check in my application.cfm page

Report · Apr 23, 2007

Hi,

If your webserver is Apache then, you can put a .htaccess file to force the visitors to enter value username / password before allowing them download...

Report · Apr 24, 2007

You could also place it in a non web-accessible directory and use <cffile> to retrieve and present the file. Assuming that you have access to <cffile> in your hosting environment, this is probably going to be the most secure because it prevents anyone from accessing the file except though your CF interface.

Report · Apr 30, 2007

I was thinking a bit more about this, could I do something like the
following and put it in my application.cfm page.
Im just not sure which is the best/appropriate cgi variable to use to read
the users url.



<cfif (isdefined("client.access") eq "false" OR client.access eq "no") and
cgi.HTTP_HOST eq " http://xxxxxx/documents/")>


<cflocation url=" http://xxxxxx/login.cfm" addtoken="no">

</cfif>

"insuractive" <webforumsuser@macromedia.com> wrote in message
news:f0l7aa$hrm$1@forums.macromedia.com...
> You could also place it in a non web-accessible directory and use <cffile>
> to
> retrieve and present the file. Assuming that you have access to <cffile>
> in
> your hosting environment, this is probably going to be the most secure
> because
> it prevents anyone from accessing the file except though your CF
> interface.
>

Report · May 01, 2007

that will not stop anyone from directly typing a url to a document and
accessing it. application.cfm attaches only to .cfm files.

follow insuractive's advice - that's the best thing you can do.
--

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com

Report · May 01, 2007

stupid me of course!!

"Azadi" <azadi@sabai-dee.com> wrote in message
news:f16pfe$luf$3@forums.macromedia.com...
> that will not stop anyone from directly typing a url to a document and
> accessing it. application.cfm attaches only to .cfm files.
>
> follow insuractive's advice - that's the best thing you can do.
> --
>
> Azadi Saryev
> Sabai-dee.com
> http://www.sabai-dee.com

Adobe Community

restrict users from downloading files