3 Replies Latest reply on Dec 19, 2007 2:36 PM by Homestar9

    How to Password Protect a Directory so all Files are Protected?

    Homestar9 Level 1
      Hello CFers and Happy Holidays,

      I am moving a web site over from a Linux server over to a Windows 2000 server. The site was currently password protected via the oh so familiar .htaccess method on the Linux server. Now that the site is on IIS on Windows, the .htaccess files don't work.

      I have created a MSSQL database with a users table that contains all of the username and passwords that are allowed to access the site.

      Normally I would just log users in by querying the database, setting a session variable, and then using application.cfm to check to make sure the users is logged in. However, in this particualr site, most of the files are made up of .htm files which do not get processed by the ColdFusion application.cfm tag.

      Several posts indicated that I would need to disable anonymous access within IIS and then create the individual user accounts within Administrative Tools > Computer Management > Users and Groups. However, in this case, I don't want to create thousands of new users within windows.

      Is there a way for me to password protect all files within a directory while still using the accounts set up in my MSSQL database for authentication?

      Thanks,
      David Levin
        • 1. Re: How to Password Protect a Directory so all Files are Protected?
          c_wigginton Level 1
          If you were delivering a single package, such as a zip, a pdf, or something to download, you could move the files outside of a web accessible directory and then deliver the files with cfheader and cfcontent.

          Since you are trying to protect htm pages along with standard elements such as images, you have to protect at the IIS level. Since the built-in IIS authentication isn't going to do it for you, you need to look into ISAPI filters. Information is a little sparse, but there is a commercial solution that would lock down directories based on a database.

          http://www.flicks.com/flicks/authx.htm
          • 2. Re: How to Password Protect a Directory so all Files are Protected?
            Level 7
            > Several posts indicated that I would need to disable anonymous access within
            > IIS and then create the individual user accounts within Administrative Tools >
            > Computer Management > Users and Groups. However, in this case, I don't want to
            > create thousands of new users within windows.

            How many users did you have in your .htaccess config? That's how many
            you'd need to set up in IIS. With IIS & file system permissions you're
            effecting the same thing you would with Apache's .htaccess authorisation.
            Except using GUI tools rather than text files; it's the same principle,
            though.

            Or... you could just install Apache and use that instead, sticking with the
            approach you're used to.

            --
            Adam
            • 3. Re: How to Password Protect a Directory so all Files are Protected?
              Homestar9 Level 1
              Adam, I would like to stick with IIS. There are thousands of user accounts so I would prefer to use MSSQL to store the accounts.

              wigginton, thanks for your tip. That software package looks like it might do exactly what I need. Does that package use ISAPI filters? I wonder if it would be worthwhile to develop my own solution using ISAPI filters. From the description of the prodict it looks like you can create a bridge between IIS and MSSQL.

              I'll do some more research on ISAPI filters and ColdFusion. Google hasn't yielded too many useful resources thus far.