4 Replies Latest reply on Jul 6, 2009 7:26 AM by GrumpyJoe

    Restricted access to non cf files using cf

    AXcrystallis Level 1

      I have a question that its answer may be interesting and usefull for many CF developers. Here it is.


      I have a site, and I have a folder where access is restricted and I have a login page asking for user name and password. As usually I chech these access data in my database and I give or give not access to the content of this folder. Nothing special until now.

      Let's suppose


      The root folder of my site is        C:\MySite

      The restricted access folder is    C:\MySite\MembersFolder

      In the root folder I have the login page   C:\MySite\login.cfm


      In the restricted access folder and its subfolders I have various CF pages e.g.

      --   C:\MySite\MembersFolder\page1.cfm ,

      --   C:\MySite\MembersFolder\folder2\page2.cfm  etc


      Whenever someone logs in successfully I keep a session variable with his name, userid etc blah blah. So whenever someone tries to access a restricted access page e.g   C:\MySite\MembersFolder\page1.cfm  I check if there is or there is not the session variable of his access. If the session variable exists I give access, otherwise I send him to the login page. Again nothing special. Just typical proccess.


      My question is.

      All the above can restrict access to any CF page in the folder  C:\MySite\MembersFolder

      BUT what about any other content in this folder e.g PDF, jpg, doc files etc ?

      Because someone not logged in can just write in his browser:  http://www.MySite.com/MembersFolder/MyBook.pdf  and can get the PDF file without loggin!!!


      Any idea how can I restrict access to any kind of content (htm, cfm, pdf, jpg, doc xls etc) using coldfusion ?


      (Well I know I can store these kind of files in binary fields of the database.... instead of storing them as files, but I don't think it's realistic. These files pdf, doc, tiff, xls can be many Mb and it's not realistic to read these huge files from the database in middle or high traffic site.)


      So any other idea?


      Thanks in advance for your response.





        • 1. Re: Restricted access to non cf files using cf
          GrumpyJoe Level 1

          Well, one standard response to this is to put those document files that are not CF into a directory outside the webroot, and then having a CFM page that can be used to access them, returning them using the cfcontent tag.  This will add overhead, as a CF thread is not handling sending those documents out, but you are restricting access to them successfully.


          Have you used cfcontent before?

          1 person found this helpful
          • 2. Re: Restricted access to non cf files using cf
            AXcrystallis Level 1

            Thank you Joe for your answer. Yes I have used cfcontent before when having stored pdf files in binary fields of a database. The traffic there was low and I had no other option.


            About your idea to store these non-CF files in folders out of the root of the site well it's close to the idea of binary fields of the db, because and in this case I will have to read (load) all these files in a CF variable using CFFile and then to present them using this variable in the CFContent. In both cases I will have to load huge volume of data in CF variables. Could this be avoided ?


            Thanks anyway.



            • 3. Re: Restricted access to non cf files using cf
              ilssac Level 5

              1) The cfcontent tag has a file property that allows you to server up files directly without having to load the contents into a variable.


              2) But if you really want security of all web content, the web server has better tools to secure everthing going through it, rather then the applicaiton server.  You would need to dig into the capabilities of your web server of choice.

              • 4. Re: Restricted access to non cf files using cf
                GrumpyJoe Level 1

                Well, if you use the file="" attribute of cfcontent you don't have to

                'load' them first.  Example:-




                I'm not completely sure how much load this will mean, but it 'should'

                just pass the file through it (your security logic goes before it



                Why not try an example of it on a large file - time it just from

                downloading it in the browser, and then via this mechanism - just to get

                a feel for it?  It will consume a CF thread for the download, but ther

                will be no 'load' step afaik.