Skip to main content
R
romaneagle
Participant
November 7, 2008
Answered

Application.cfc & locking down media files

  • November 7, 2008
  • 2 replies
  • 572 views
Hi,

I've used a login framework for the Application.cfc (from Forta's CF8 book chapter 23). It successfully locks down .cfm files, but media/image files such as .jpg are still unsecure.

What am I missing to make sure that even no matter what's in the folder, whether it be .jpg, .gif, .mov, .swf, etc... will only be accessible if the site visitor has the proper login credentials?

I could probably "lock" the media files away in a database structure, but that's not very efficient. I'm sure CF8 has an easy way to handle this that I just don't know about.

Thank you for your help!
    This topic has been closed for replies.
    Correct answer Newsgroup_User
    the only secure way to not allow access to a web content is to not put
    it on the web. cf never processes those 'media' files you mention - it
    is your web server that handles requests for them.

    so either:
    a) move those files into non-web-accessible part of your server and
    serve them with cf via file system interaction tags/functions and
    cfcontent/cfherader combinations
    b) configure cf to process those files instead of your web server

    mind you, both options above may add significant processing overhead to
    your application, so balance the need to secure access to those files
    and your app performance wisely...

    Azadi Saryev
    Sabai-dee.com
    http://www.sabai-dee.com/

    2 replies

    N
    Newsgroup_User
    Inspiring
    November 7, 2008
    Azadi wrote:
    > the only secure way to not allow access to a web content is to not put
    > it on the web. cf never processes those 'media' files you mention - it
    > is your web server that handles requests for them.
    >
    > so either:
    > a) move those files into non-web-accessible part of your server and
    > serve them with cf via file system interaction tags/functions and
    > cfcontent/cfherader combinations
    > b) configure cf to process those files instead of your web server
    >
    > mind you, both options above may add significant processing overhead to
    > your application, so balance the need to secure access to those files
    > and your app performance wisely...
    >

    As well as these CF solutions mentioned by Azadi, you can look into the
    security options of your web server and try to apply them. These work
    differently then the ColdFusion based solution, but they get to the same
    end.
    R
    romaneagleAuthor
    Participant
    November 7, 2008
    Hi Ian,

    Thanks for your advice. I'll experiment with the server settings and see if any of that works with my functional needs.

    Thanks!
    N
    Newsgroup_UserCorrect answer
    Inspiring
    November 7, 2008
    the only secure way to not allow access to a web content is to not put
    it on the web. cf never processes those 'media' files you mention - it
    is your web server that handles requests for them.

    so either:
    a) move those files into non-web-accessible part of your server and
    serve them with cf via file system interaction tags/functions and
    cfcontent/cfherader combinations
    b) configure cf to process those files instead of your web server

    mind you, both options above may add significant processing overhead to
    your application, so balance the need to secure access to those files
    and your app performance wisely...

    Azadi Saryev
    Sabai-dee.com
    http://www.sabai-dee.com/
    R
    romaneagleAuthor
    Participant
    November 7, 2008
    Hi Azadi,

    Thanks for responding to this thread. I think I'll try the non-public folder with a cfcontent scenario and see what happens. Although, this really doesn't seem "scalability" friendly for future multi-threading scenarios that could arise. But, I guess I can adapt to that later.

    I'll look into some more server-side features, too... I'll also be on the lookout for any other technologies that help protect intellectual property. It's definitely a tough cookie on the web!

    Thanks again!
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices