3 Replies Latest reply on Mar 16, 2007 10:01 AM by Newsgroup_User

    Protecting text files with sensitive information

    billdimit
      I have an app where users log in and upload files with very sensitive information (pdf's or word doc's). Depending on the permissions an user can open and view or save specific files. I'm saving files out of the web server folder and using middle cfm page(docs.cfm) as a wrapper:

      Link to the docs.cfm:
      <a href="##" onClick="MM_openBrWindow('docs.cfm?name=#docFile#','fileDoc','scrollbars=yes,resizable=ye s,width=750,height=550')">#docName#</a>

      and here is docs.cfm code:

      <cfheader name="Content-Disposition" value="attachment; filename=#URL.name#">
      <cfcontent type="application/unknown" file="#Application.docsPath##URL.name#" reset="yes">

      Application.docsPath variable points to D:\myFiles\ folder (not in the web server directory).

      It is sill possible to open file if you guess the file name.

      Is it any way to protect files from unauthorized users and to block them if they try to guess and open a file?

      Thanks,
      b.


        • 1. Re: Protecting text files with sensitive information
          Neo Rye Level 1
          I think the best way to protect them would be to store them in a database and restrict access to the database. The database should also be outside the DMZ. SQL 2005 has some field level encryption if you want to get supper protective, but that has some limits of data length that you'll need to work around. We encrypyt user passwords with SQL 2005 and it works great. More info here:
          http://blogs.msdn.com/yukondoit/archive/2005/11/24/496521.aspx

          The other possible solution is to place all a user's files into 1 zip file and encrypt and password protect it, not as secure, but would work. You could use their userid and email or something for unique username's and passwords per file. Each user would have their own zip that you unzippped to give them access to what was inside. When they uploaded the file, you just add it to the zip. This way you could allow them to upload differant types of files and handle them all the same way.
          • 2. Protecting text files with sensitive information
            Neo Rye Level 1
            double post removed
            • 3. Re: Protecting text files with sensitive information
              Level 7
              I think the best way to protect them would be to store them in a database and
              restrict access to the database. The database should also be outside the DMZ.
              SQL 2005 has some field level encryption if you want to get supper protective,
              but that has some limits of data length that you'll need to work around. We
              encrypyt user passwords with SQL 2005 and it works great. More info here:
              http://blogs.msdn.com/yukondoit/archive/2005/11/24/496521.aspx

              The other possible solution is to place all a user's files into 1 zip file and
              encrypt and password protect it, not as secure, but would work. You could use
              their userid and email or something for unique username's and passwords per
              file. Each user would have their own zip that you unzippped to give them access
              to what was inside. When they uploaded the file, you just add it to the zip.
              This way you could allow them to upload differant types of files and handle
              them all the same way.