1 person found this helpful
Well, one standard response to this is to put those document files that are not CF into a directory outside the webroot, and then having a CFM page that can be used to access them, returning them using the cfcontent tag. This will add overhead, as a CF thread is not handling sending those documents out, but you are restricting access to them successfully.
Have you used cfcontent before?
Thank you Joe for your answer. Yes I have used cfcontent before when having stored pdf files in binary fields of a database. The traffic there was low and I had no other option.
About your idea to store these non-CF files in folders out of the root of the site well it's close to the idea of binary fields of the db, because and in this case I will have to read (load) all these files in a CF variable using CFFile and then to present them using this variable in the CFContent. In both cases I will have to load huge volume of data in CF variables. Could this be avoided ?
1) The cfcontent tag has a file property that allows you to server up files directly without having to load the contents into a variable.
2) But if you really want security of all web content, the web server has better tools to secure everthing going through it, rather then the applicaiton server. You would need to dig into the capabilities of your web server of choice.
Well, if you use the file="" attribute of cfcontent you don't have to
'load' them first. Example:-
I'm not completely sure how much load this will mean, but it 'should'
just pass the file through it (your security logic goes before it
Why not try an example of it on a large file - time it just from
downloading it in the browser, and then via this mechanism - just to get
a feel for it? It will consume a CF thread for the download, but ther
will be no 'load' step afaik.