Hello people, I'm having an issue within a Coldfusion application.
The user logs in and access a page. The page contains two links: one to another cfm page and the other one to an image.
1. If I copy the URL of the image and then log out from the application, and then paste this URL into the address bar of any browser (which is within the same path) I will be able to see the image. This shouldn't be happening, the Application.cfm page should redirect my request to the login page.
2. However, if I do the same thing with the other link, the one that will take me to the cfm page, then the Application.cfm page will redirect the request to the login page, as it should.
Anyone with an idea how to avoid the behavior described in item 1?
You cant, the image is not constrained to Coldfusion. It does not call the application.cfm when you run anything other then a .cfm, .cfml or .cfc (coldfusion extensions)
The image, like most media (css, js etc) are being served by the web server. If you want to restrict access you will need to implement authentication on the web server lever.
Your only real option output the image onto a page. So the page would still be a cfm, when requested it would process the application.cfm. You would never link directly to the image, just the page that is loading the image.
You would have to do something like cfimage Code Examples and CFML Documentation and writeToBrowser to stop the image URL from being seen.
Excellent advice and thank you very much for the explanation!
I will implement it.
Do you have an idea about how to deal with the same situation if the file is an Excel or PDF instead of an image?
You can do the same kind of thing but instead of using cfimage, you can use cfcontent / cfheader.
Something along these lines:
<cfheader name="Content-Disposition" value="filename=myfile.xls">
Thank you once again