Known Participant

Question

URL to pass variable, but how to keep it secure?

Forum|Forum|17 years ago
February 12, 2009
7 replies
1264 views

Hi,

I have created a login to a website. Some users can download an application. Those who can will receive a link that says "Download". I need a way to make the URL to the download private - so those who aren't supposed to have the application can't simply type in the url and grab it. My question is, how can I create a URL that is dynamic?

Thanks,

Amy

This topic has been closed for replies.

A

AmyEverAfterAuthor

Known Participant

Okay, this is the error I get:

The file specified in contentTag does not exist.
c:\myapp\application.exe not found.

The error occurred in

login_action.cfm: line 35

33 :
34 : <cfif SESSION.isLoggedIn EQ "yes" AND SESSION.isUserAdmin EQ "yes">
35 : <cfcontent file="c:\myapp\application.exe">
36 : or if cfcontent doesn't work
37 : <cfheader name='Content-Disposition' value="attachment;filename=c:\myapp\application.exe">

So how do I define ContentTag?

Thanks, you're very helpful!

A

Anonymous

No no. That was just dummy data, you need to replace what I put there with the actual location of your file. So if you put it under "c:\mysecurelocation\myapp.exe", that is the file path you would use.

You basically need to tell Coldfusion, "hey buddy this is where my file is stored give it to the admin".

Coldfusion is telling you that the file location you supplied does not exist in the "contentTag"

A

Anonymous

okay amy, i'm going to bed now cuz it's 11:12pm in South Africa and i'm pretty tired now. I've had a nasty week and am going to "Club Duvet". I'll check in on you 2mor though. Good luck sweety. Don't give up on Coldfusion cuz once you go Cold you don't go back.

Here's some code i tested that worked for me. Use cfheader to supply information about the file.

A

AmyEverAfterAuthor

Known Participant

Thank you very much for your help! I think it's working. Just need to check a few things. Thanks so much.

A

AmyEverAfterAuthor

Known Participant

Sorry, let me be more clear. This is what I have:

<cfquery datasource="myDB" name="qryLogin">
SELECT username, userpassword, userrole
FROM userinfo
WHERE username = '#form.username#' and userpassword= '#form.userpassword#'
</cfquery>

<cfif qryLogin.recordCount gt 0>
<font face="Arial, Helvetica, sans-serif" size="-1">Login successful. Welcome <cfoutput>
#username#. </cfoutput>

<cfset SESSION.isLoggedIn ="yes">

<cfif "#qryLogin.userrole#" eq "0">
</cfif>
NEED ABILITY TO DOWNLOAD HERE

<cfelse>
Blah blah blah, you can't download.
</cfif>

<cfelse>

<font face="Arial, Helvetica, sans-serif" size="-1" color="#990000">That record does not exist. Please try again.
<cfinclude template="login_form.cfm">
<cfabort></cfif>

<cfif not isDefined ("SESSION.isLoggedIn")>
Please log in.<cfabort></cfif>

So how do I fix this?

Thanks for your help!

Amy

A

Anonymous

Okay based on what you have given me. You don't want the user having to download the app every time they log in so giving them a link somewhere is a better idea (that way, they decide). Also you will want to add another value to the Session variable for "userrole".

Now like i mentioned before you create another page called "downloadApp.cfm" and in there you check your session variable to see whether a user is logged in and whether they are admin users, like so.

A

AmyEverAfterAuthor

Known Participant

I'm pretty new at CF so please excuse my ignorance, but how do I define "login.userpermissions"?

A

Anonymous

Oh no, I am terribly sorry I did not know you were new to cf and totally showed you dummy code that was confusing.

My dummy code was assuming you understood and have built components to handle your User permissions.

Generally when you create a login based website it is a good idea to keep a Session variable that contains user specific information. In your case whether the user is logged in and whether they are an admin

If so all you do is check your Session variable for the whether they are logged in and if they are an admin, like so:

A

AmyEverAfterAuthor

Known Participant

Okay, I'll give that a try. THANK YOU.

Basically, anyone who is going to get to the site must log in. If you're logged in as "admin" you can grab the app. I'll try cfcontent and see what happens.

THANK YOU very much!

N

Newsgroup_User

Inspiring

one important bit that CF-Pensioner has missed is that the file has to
be outside of your webroot (not web-accessible).

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/

A

Anonymous

Hi amy,

You could simply make the user login to aquire the download and then use cfcontent to serve them the file instead of linking to it directly.

How are you planning on giving them the link?

A

Anonymous

Okay to clarify my thinking.

User visits your site and clicks on, "Download my fab application".

User get taken to a page where they have to enter their username and password and login.

User logs in successfully and your login process page serves them a file using cfcontent.

A

Anonymous

Oops i forgot. Thanks Azadi for picking that up.

You also said only some users, so wen they login to your site you check if they're allowed and provide a link like the following:

www.amyssite.com/downloadFabApp.cfm

User visits link and your downloadFabApp.cfm page very cleverly provides the app using cfcontent.

The key here is you also check in your downloadFabApp.cfm page that the user is logged in and that they can download the app.

Here is some example code for using cfcontent to do this

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded