I am fairly new to ColdFusion, but I do need help with a
rather advanced topic.
My company needs to upload and protect files within our
coldfusion website. So the files can only be downloaded by
looged-in users and their links cannot be copied and sent to other
external users.
Keep in mind I am new to this, so I will need fairly
elaborate explanations.... sorry bout that.
This can be done fairly easily actually with cookies or
session variables.
You just need to have a login function of some sort that sets
a cookie or a session variable that allows the person to go to the
download page. IF they go to the download page and they do not have
the cookie/variable set, they are bounced to another page using a
cflocation tag.
Like
<cfif NOT ISDEFINED("session.loggedin") OR NOT
session.loggedin>
<cflocation url="wherever.com">
</cfif>
Thanks... I got a bit of a direction with that.
However, what I am afraid of is people who have logged in can
easily just copy the download link and send it to friends who can
then download it directly without going through a login
page.
Do not save files to a directory on your website. Save your
files to another directory outside your website or on a file server
( if reading files from a another server be sure that the user
account ColdFusion runs as has permissions to read files on that
server). Use the cfcontent tag to make the file available to web
users only if they are authenticated.
> Use the cfcontent tag to make the file
> available to web users only if they are authenticated.
Be *very* wary of doing this. <cfcontent> holds a
server thread open for
the entire time the file is downloading. Having more than a
few of these
actions occurring at once can grind a server to a
stand-still.
--
Adam
(NB: I've steered clear of this approach since 6.1, so maybe
it's been
sorted out since... I daren't try again)
1. Do you intend to store the files on the filesystem or in a
database?
2. Does your site currently use basic authentication (or
integrated authentication for Windows) or another login process or
will you be implementing security from scratch?
I will be storing the files in a filesystem. I am not sure if
storing them in root folders will be secure enough or if it is
possible to download files from these root folders. I suppose using
the CFFILE tag, I could bridge that gap.
As fre ecsurity I was going to use CF to build a "login"
application myself.
Login process creates session variable:
<cfset session.login = "yes">
Then on each page that you want to protect put this as the
very first line:
<cfif Not IsDefined("session.login")>
<cflocation url="LoginForm.cfm">
</cfif>
You can make the validation part as detailed as you want.
The best thing to then do is make it a separate file and
include it with <cfinclude> at the top of each protected
page
8
Replies
AdChoices