Skip to main content
AXcrystallis
AXcrystallis
Known Participant
July 6, 2009
Question

Restricted access to non cf files using cf

  • July 6, 2009
  • 1 reply
  • 1314 views

I have a question that its answer may be interesting and usefull for many CF developers. Here it is.

I have a site, and I have a folder where access is restricted and I have a login page asking for user name and password. As usually I chech these access data in my database and I give or give not access to the content of this folder. Nothing special until now.

Let's suppose

The root folder of my site is        C:\MySite

The restricted access folder is    C:\MySite\MembersFolder

In the root folder I have the login page   C:\MySite\login.cfm

In the restricted access folder and its subfolders I have various CF pages e.g.

--   C:\MySite\MembersFolder\page1.cfm ,

--   C:\MySite\MembersFolder\folder2\page2.cfm  etc

Whenever someone logs in successfully I keep a session variable with his name, userid etc blah blah. So whenever someone tries to access a restricted access page e.g   C:\MySite\MembersFolder\page1.cfm  I check if there is or there is not the session variable of his access. If the session variable exists I give access, otherwise I send him to the login page. Again nothing special. Just typical proccess.

My question is.

All the above can restrict access to any CF page in the folder  C:\MySite\MembersFolder

BUT what about any other content in this folder e.g PDF, jpg, doc files etc ?

Because someone not logged in can just write in his browser:  http://www.MySite.com/MembersFolder/MyBook.pdf  and can get the PDF file without loggin!!!

Any idea how can I restrict access to any kind of content (htm, cfm, pdf, jpg, doc xls etc) using coldfusion ?

(Well I know I can store these kind of files in binary fields of the database.... instead of storing them as files, but I don't think it's realistic. These files pdf, doc, tiff, xls can be many Mb and it's not realistic to read these huge files from the database in middle or high traffic site.)

So any other idea?

Thanks in advance for your response.

KianX

This topic has been closed for replies.

1 reply

A
Anonymous
July 6, 2009

Well, one standard response to this is to put those document files that are not CF into a directory outside the webroot, and then having a CFM page that can be used to access them, returning them using the cfcontent tag.  This will add overhead, as a CF thread is not handling sending those documents out, but you are restricting access to them successfully.

Have you used cfcontent before?

AXcrystallis
AXcrystallisAuthor
Known Participant
July 6, 2009

Thank you Joe for your answer. Yes I have used cfcontent before when having stored pdf files in binary fields of a database. The traffic there was low and I had no other option.

About your idea to store these non-CF files in folders out of the root of the site well it's close to the idea of binary fields of the db, because and in this case I will have to read (load) all these files in a CF variable using CFFile and then to present them using this variable in the CFContent. In both cases I will have to load huge volume of data in CF variables. Could this be avoided ?

Thanks anyway.

KianX

ilssac
ilssac
Inspiring
July 6, 2009

1) The cfcontent tag has a file property that allows you to server up files directly without having to load the contents into a variable.

2) But if you really want security of all web content, the web server has better tools to secure everthing going through it, rather then the applicaiton server.  You would need to dig into the capabilities of your web server of choice.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices