3 Replies Latest reply on Jan 30, 2007 2:39 PM by gmahler5th

    CF to protect binary documents

    gmahler5th
      /secure/protected-doc.pdf is located in a sub directory. I'd like to require users to login before accessing it. I know how to implement login using CF, just not sure how to do it for binary docs. Because when I request www.mydomain.com/secure/protected-doc.pdf in a Web browser, I can download and read it in spite of there being Application.cfm and Login forced for .cfm files in the /secure directory.
        • 1. Re: CF to protect binary documents
          Level 7
          Because when I request www.mydomain.com/secure/protected-doc.pdf in a
          Web browser, I can download and read it in spite of there being
          Application.cfm and Login forced for .cfm files in the /secure directory.


          Of course, because when the web server receives that request for
          protected-doc.pdf it looks at the extension - checks it against its
          mappings and goes "this is NOT a ColdFusion Extension." So it does not
          call ColdFusion to serve this page. The same thing happens with any
          non-ColdFusion resource. The web server does not call ColdFusion for
          every file on the server.


          If you want to use ColdFusion to protect this file, the usual procedure
          is to move the resource to a directory that is NOT accessible to the web
          root. Then create a cfm template that uses ColdFusion code such as
          <cfcontent...> and|or <cffile...> to retrieve and serve up the file.
          You will also probably want to make liberal use of <cfheader...> so that
          the browser understands what type of data it is getting, since it is
          expecting normal HTML from a cfm extension, not binary files. You can
          then apply all normal security you desire to this gateway template.

          There are many tutorials and discussions with code examples to
          accomplish this. A bit of Googling should give you anything you need.
          • 2. Re: CF to protect binary documents
            c_wigginton Level 1
            Move the documents outside of a web accessible directory but still accessible to ColdFusion

            Perform your login tests in the Application.cfm

            When you output your filelist for selection, the url should call a
            template (this code) that does the file retrieval

            Look at the cfib.org site for the getMimeType() udf


            <cfsetting enablecfoutputonly="yes">

            <cffile action="read" file="#filepath#" variable="tempFile">
            <cfcontent type="#getMimeType(fileName)#" reset="yes">
            <CFHEADER NAME="content-disposition" VALUE="attachment; filename=#fileName#">
            <cfoutput>#tempFile#</cfoutput>
            <cfsetting enablecfoutputonly="no">
            • 3. Re: CF to protect binary documents
              gmahler5th Level 1
              Both answers seem pretty much accurate. I am giving credit to c_wigginton for the code sample, which helped me to save time and clicks.