This content has been marked as final. Show 3 replies
Because when I request www.mydomain.com/secure/protected-doc.pdf in a
Web browser, I can download and read it in spite of there being
Application.cfm and Login forced for .cfm files in the /secure directory.
Of course, because when the web server receives that request for
protected-doc.pdf it looks at the extension - checks it against its
mappings and goes "this is NOT a ColdFusion Extension." So it does not
call ColdFusion to serve this page. The same thing happens with any
non-ColdFusion resource. The web server does not call ColdFusion for
every file on the server.
If you want to use ColdFusion to protect this file, the usual procedure
is to move the resource to a directory that is NOT accessible to the web
root. Then create a cfm template that uses ColdFusion code such as
<cfcontent...> and|or <cffile...> to retrieve and serve up the file.
You will also probably want to make liberal use of <cfheader...> so that
the browser understands what type of data it is getting, since it is
expecting normal HTML from a cfm extension, not binary files. You can
then apply all normal security you desire to this gateway template.
There are many tutorials and discussions with code examples to
accomplish this. A bit of Googling should give you anything you need.
Move the documents outside of a web accessible directory but still accessible to ColdFusion
Perform your login tests in the Application.cfm
When you output your filelist for selection, the url should call a
template (this code) that does the file retrieval
Look at the cfib.org site for the getMimeType() udf
<cffile action="read" file="#filepath#" variable="tempFile">
<cfcontent type="#getMimeType(fileName)#" reset="yes">
<CFHEADER NAME="content-disposition" VALUE="attachment; filename=#fileName#">
Both answers seem pretty much accurate. I am giving credit to c_wigginton for the code sample, which helped me to save time and clicks.