Disallow access to certain directories

Report · Apr 20, 2013

I have a directory on my server named "documents" that I need to make sure users are authenticated (logged in) before they can access this directory.

The directory contains PDF documents.

Whats happening is that users are bypassing the log in process and directly accessing documents in this documents directory.

When my users log in a SESSION variable "allowin" gets set.

Normally I have an application.cfc or application.cfm file that will redirect the user to the login page if they dont have the session created.

For example if a user tried to access the site directly with a link and not log in they would not be allowed in and be redirected to the log in page.

Thats because the application runs each time a cfm page runs.

But when a user accesses the site at http://www.mysite.com/documents/test.pdf they get in because the application.cfm doesnt run and enforce the SESSION rule.

Because there is not an application.cfm file in the documents directory.

Any ideas on how to use CF to boot users to a login page that try to access a directory that does not contain an application.cfm or .cfc file?

Report · Apr 20, 2013

The reason why this happens is that ColdFusion is never introduced to the equation.

Your webserver gets the request before ColdFusion does. It checks your URL and sees that the path provided is a legitimate one (the directory and file specified exist). It then looks at the extension of the request (.PDF in this case), and chances are, this is setup on the server to just be sent to the user's browser (same as if they requested a GIF, PNG, etc.)

What you should do is place the documents outside of the webroot, so they cannot be navigated to. Then, build a ColdFusion page that is passed an ID or identifier so that it can find the file requested, ie:

http://mysite.com/filedownloader.cfm?filename=test.pdf

Now, since you're actually requesting a CFM file, ColdFusion gets handed the request, can perform Session value checks, etc, and once verified, can actually get and serve up the file from the out-of-webroot directory.

Like with those concerned with not having their artwork stolen when they want to put it online, consider the webroot as a repository for your application files. See these PDFs and such as "resources" or "file content" that exists outside that, and as such, it should reside in a different location, inaccessible by those who can access your site.

Report · Apr 20, 2013

Yes I agree that your slution will work.

I think it would be a massive undertaking to move all of these documents and then fix all of the links.

How about this?

Is there a way to limit access to the documents directory by allowing only users from certain referrers?

Report · Apr 20, 2013

People can spoof their HTTP referer, so I wouldn't rely on that being a valid method.

Are you unable to lock down the directory from the server? ie, setting it's authentication to require users to enter a valid password?

Do you have access to your web server's ACP?

Report · Apr 20, 2013

This is an existing application so I dont want to change the rules to require users to enter a valid password.

Is there someway to invoke the cold fusion server to run when the documents directory is accessed?

If that were possible I could use an applciation.cfm to do this.

Report · Apr 20, 2013

Not that I know of.

You could go so far as to setup the server to route .pdf calls to ColdFusion, so ColdFusion would fire off its Application.cfc when you request the file, but you would have to detect that the user is requesting these files via the onRequestStart() and then put together some code that would read and serve up the PDF file with <cfcontent> and the appropriate mime type.

As it stands, ColdFusion never intercepts the request. My suggestion makes it so that *.pdf would fire off CF as if you were requesting a .cfm. You'd then add special code to determine if the user requeseted a .pdf, and if so, to alter the request to call the PDF file and serve it to the user.

This is a very jerry-rigged method since you seem to be very limited in low-level access.