This content has been marked as final. Show 8 replies
This can be done fairly easily actually with cookies or session variables.
You just need to have a login function of some sort that sets a cookie or a session variable that allows the person to go to the download page. IF they go to the download page and they do not have the cookie/variable set, they are bounced to another page using a cflocation tag.
<cfif NOT ISDEFINED("session.loggedin") OR NOT session.loggedin>
Take a look at these topics in the ColdFusion documentation
Managing Files on the Server
1. Do you intend to store the files on the filesystem or in a database?
2. Does your site currently use basic authentication (or integrated authentication for Windows) or another login process or will you be implementing security from scratch?
Thanks... I got a bit of a direction with that.
However, what I am afraid of is people who have logged in can easily just copy the download link and send it to friends who can then download it directly without going through a login page.
I will be storing the files in a filesystem. I am not sure if storing them in root folders will be secure enough or if it is possible to download files from these root folders. I suppose using the CFFILE tag, I could bridge that gap.
As fre ecsurity I was going to use CF to build a "login" application myself.
Do not save files to a directory on your website. Save your files to another directory outside your website or on a file server ( if reading files from a another server be sure that the user account ColdFusion runs as has permissions to read files on that server). Use the cfcontent tag to make the file available to web users only if they are authenticated.
> Use the cfcontent tag to make the file
> available to web users only if they are authenticated.
Be *very* wary of doing this. <cfcontent> holds a server thread open for
the entire time the file is downloading. Having more than a few of these
actions occurring at once can grind a server to a stand-still.
(NB: I've steered clear of this approach since 6.1, so maybe it's been
sorted out since... I daren't try again)
Login process creates session variable:
<cfset session.login = "yes">
Then on each page that you want to protect put this as the very first line:
<cfif Not IsDefined("session.login")>
You can make the validation part as detailed as you want.
The best thing to then do is make it a separate file and include it with <cfinclude> at the top of each protected page
Please use <cfflogin> tag to protect your coldfusion files