Grif,
I've done the something similar to what your talking about. What I did was
to create a groupID and employeeID based off the user session. Once the
user goes to the section that contains the files, I check to make sure they
have the exclusive rights to the doc by testing the session ID's. I also
had to change the document name to something more obscure, rather than the
keeping the same name that the user uploads. All of this was done behind
one NT secure login. By creating a separate dir for each user with CFDIR,
then storing the documents in the folder and restricting it based on the
session id's I was able to limit the people from viewing each others
documents. Only problem with this is that you could end up with an endless
number of folders depending on how many users are created. With a popup I
can then check to see if the particular user is able to view the file. If
the GroupID and EmployeeID don't match, I simply close the popup and not
allow access to the file. Since the file is a series of numbers and letters
rather than just the document or image name, it's near impossible to just
type in the name of the folder and then type in the name of the document.
With the one NT level of security, the search engines won't pick up the
documents. You could also tell the search engines not to view those
particular pages, but it only works on some search engines.
Hope that helps
Matt
-----Original Message-----
From: Griffin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 26, 2003 9:34 AM
To: CF-Talk
Subject: WOT: Securing word docs, excel, etc in a web app
Hi,
This is off topic, but I am sure many of you have had to deal with
issues such as these in the past.
I have been living in a bubble for the past 3 years and have developped
many web apps in CF, ASP and JSP on secure networks with no Internet
connection. For the first time, I am building an Internet based web app
in CF. Creating the members only portion with user authentication and so
on is no problem.
However, the site's main focus is to share research data among members.
Most members want to upload MS Word docs, MS Excel docs and PDFs. The
site will be hosted at an ISP, so using IIS or NT security is not an
option.
So here is my dilema, once I have uploaded documents that I only want
members to access, how can I achieve something better than "security
through obscurity" and prevent people from stumbling on the docs by
guessing or as the result of a search engine search? Same question for
images. There will be images in .jpg and .gif format which are destined
for members eyes only.
Any recommendations appreciated.
Grif
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/lists.cfm?link=t:4
Subscription: http://www.houseoffusion.com/lists.cfm?link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
This list and all House of Fusion resources hosted by CFHosting.com. The place for
dependable ColdFusion Hosting.
http://www.cfhosting.com
