Application.cfc & locking down media files

Report · Nov 06, 2008

Hi,

I've used a login framework for the Application.cfc (from Forta's CF8 book chapter 23). It successfully locks down .cfm files, but media/image files such as .jpg are still unsecure.

What am I missing to make sure that even no matter what's in the folder, whether it be .jpg, .gif, .mov, .swf, etc... will only be accessible if the site visitor has the proper login credentials?

I could probably "lock" the media files away in a database structure, but that's not very efficient. I'm sure CF8 has an easy way to handle this that I just don't know about.

Thank you for your help!

Report · Nov 06, 2008

the only secure way to not allow access to a web content is to not put
it on the web. cf never processes those 'media' files you mention - it
is your web server that handles requests for them.

so either:
a) move those files into non-web-accessible part of your server and
serve them with cf via file system interaction tags/functions and
cfcontent/cfherader combinations
b) configure cf to process those files instead of your web server

mind you, both options above may add significant processing overhead to
your application, so balance the need to secure access to those files
and your app performance wisely...

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/

Report · Nov 07, 2008

Hi Azadi,

Thanks for responding to this thread. I think I'll try the non-public folder with a cfcontent scenario and see what happens. Although, this really doesn't seem "scalability" friendly for future multi-threading scenarios that could arise. But, I guess I can adapt to that later.

I'll look into some more server-side features, too... I'll also be on the lookout for any other technologies that help protect intellectual property. It's definitely a tough cookie on the web!

Thanks again!

Report · Nov 07, 2008

Azadi wrote:
> the only secure way to not allow access to a web content is to not put
> it on the web. cf never processes those 'media' files you mention - it
> is your web server that handles requests for them.
>
> so either:
> a) move those files into non-web-accessible part of your server and
> serve them with cf via file system interaction tags/functions and
> cfcontent/cfherader combinations
> b) configure cf to process those files instead of your web server
>
> mind you, both options above may add significant processing overhead to
> your application, so balance the need to secure access to those files
> and your app performance wisely...
>

As well as these CF solutions mentioned by Azadi, you can look into the
security options of your web server and try to apply them. These work
differently then the ColdFusion based solution, but they get to the same
end.

Report · Nov 07, 2008

Hi Ian,

Thanks for your advice. I'll experiment with the server settings and see if any of that works with my functional needs.

Thanks!

Application.cfc & locking down media files

1 Correct answer