5 Replies Latest reply on May 1, 2007 4:37 PM by Newsgroup_User

    restrict users from downloading files

    Level 7
      Easy one I think, just not sure how to implement

      I have a login area for our distributors on our site. Within this section
      there is sensitive documents (price lists, etc) available for download.

      I have a documents.cfm page with all the relevant links to the documents.

      At the top of my documents.cfm page I have code that verifies that the user
      has logged in. This would prevent "general" users from accessing the page.


      <cfif isdefined("client.access") AND client.access EQ "YES">
      <cfset client.timeout= now()+ #CreateTimeSpan(0, 0, 30, 0)#>
      <cfelse>
      <!--------User hasnt logged throw them out------->
      <cf_tags_location url="<cfoutput>#client.URL#</cfoutput>/logout.cfm"
      addtoken="no">
      </cfif>


      My question is that in theory a user, if they knew the direct url of the
      excel document they could type it in and get around my security. eg,
      http.www.mysite.com/documents/pricelist.xls

      How could I stop this without putting file permissions on my web server
      folder? Would I have to set up some type of check in my application.cfm page


        • 1. Re: restrict users from downloading files
          Daverms Level 3
          Hi,

          If your webserver is Apache then, you can put a .htaccess file to force the visitors to enter value username / password before allowing them download...
          • 2. Re: restrict users from downloading files
            insuractive Level 3
            You could also place it in a non web-accessible directory and use <cffile> to retrieve and present the file. Assuming that you have access to <cffile> in your hosting environment, this is probably going to be the most secure because it prevents anyone from accessing the file except though your CF interface.
            • 3. Re: restrict users from downloading files
              Level 7
              I was thinking a bit more about this, could I do something like the
              following and put it in my application.cfm page.
              Im just not sure which is the best/appropriate cgi variable to use to read
              the users url.



              <!------First see if the login client variable access variable exists and is
              equal to yes.
              If so now look at the users path. if they are in the documents folder, throw
              them out because they have not logged in------->


              <cfif (isdefined("client.access") eq "false" OR client.access eq "no") and
              cgi.HTTP_HOST eq " http://xxxxxx/documents/")>


              <!---throw the user to the login page as they are trying to
              download a document without logging in------->
              <cflocation url=" http://xxxxxx/login.cfm" addtoken="no">

              </cfif>





              "insuractive" <webforumsuser@macromedia.com> wrote in message
              news:f0l7aa$hrm$1@forums.macromedia.com...
              > You could also place it in a non web-accessible directory and use <cffile>
              > to
              > retrieve and present the file. Assuming that you have access to <cffile>
              > in
              > your hosting environment, this is probably going to be the most secure
              > because
              > it prevents anyone from accessing the file except though your CF
              > interface.
              >


              • 4. Re: restrict users from downloading files
                Level 7
                that will not stop anyone from directly typing a url to a document and
                accessing it. application.cfm attaches only to .cfm files.

                follow insuractive's advice - that's the best thing you can do.
                --

                Azadi Saryev
                Sabai-dee.com
                http://www.sabai-dee.com
                • 5. Re: restrict users from downloading files
                  Level 7


                  stupid me of course!!


                  "Azadi" <azadi@sabai-dee.com> wrote in message
                  news:f16pfe$luf$3@forums.macromedia.com...
                  > that will not stop anyone from directly typing a url to a document and
                  > accessing it. application.cfm attaches only to .cfm files.
                  >
                  > follow insuractive's advice - that's the best thing you can do.
                  > --
                  >
                  > Azadi Saryev
                  > Sabai-dee.com
                  > http://www.sabai-dee.com