Yeah, yeah, everyone forget he said that bit about the database thing.... lol, no holy war here!
Alright, sounds great Michael, thats what I was expecting, but didn't know if there was maybe something I wasn't thinking of. Thanks a lot for the response! On 9/12/05, Dawson, Michael <[EMAIL PROTECTED]> wrote: > Yes, you are right. You have to keep these files "behind" a .cfm page > (or any dynamic page, for that matter). > > You should keep your documents out of the web root so that they are not > web-accessible. > > Your links would be formatted such as: > > www.mydomain.com/download.cfm&doc=123 > > In "download.cfm", you check to make sure the user has the appropriate > authorization to view the file. If so, use CFCONTENT to drop the file > to the browser. If not, show a "tsk-tsk" page. > > One other option is to store the files in a database, but that would not > be required in this instance. It is just another solution to file > storage. (This suggestion could also start one heckuva holy war!) > > M!ke > > -----Original Message----- > From: Ryan Guill [mailto:[EMAIL PROTECTED] > Sent: Monday, September 12, 2005 3:07 PM > To: CF-Talk > Subject: file system access security question > > Hey guys, > > A coworker asked me about this today and although I know there is an > answer, and I am almost positive there is a very simple answer, for the > life of me I can't think of it. > > Thinking forward about an upcomming project, we will have files that > only certain parties are authorized to view. Binary files such as > word documents, pdf files, excel documents, possibly images, etc. If > we link to these files in a web page directly, there would be nothing > stopping any savvy web-user from viewing the source and seeing where a > file is stored, and possibly guessing where other files are stored. > Of course they would not only have to guess the file structure (which > would probably be relatively simple) but would also have to guess the > filename (which could be harder, but still not impossible). So, how > would restrict access to those files through the web short of pulling > everything through flash or something? Is there a way to possibly make > a temporary link to the file, or an actual temporary file, although both > of those methods have noticable drawbacks. > > Would this be a case for cfcontent or cfheader? those are two tags I > don't have a very good working knowledge of. > > Thanks guys for any response. > -- > Ryan Guill > BlueEyesDevelopment > [EMAIL PROTECTED] > www.ryanguill.com > (270) 217.2399 > > The Coldfusion Open Application Library - COAL - > http://coal.ryanguill.com > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:217988 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
