> We have an app with a protected area that just using a basic session check > in application.cfm. In the protected area there is a directory of PDFs. No > one can access them through the app without logging in. If the person knew > the url to the pdf though it would serve since application.cfm would not run > to check the session. Is there any quick way to secure these? Maybe with > windows authentication? I know we could make a cfm page to look up and > serve the file so the link to the pdf is never exposed but these are > uploaded via a cms and the link put into the page by the client that would > be more of a training exercise to make sure they are using the right link to > the pdf, etc.
This kind of thing comes up quite a bit on the list, did you search the archives? Your options are: 1. Implement web server authentication on a per-directory basis. This is somewhat unsatisfactory, since it would require authenticated users to reenter their credentials when downloading the PDF from within the CMS. 2. Place the files in a directory that's not web-accessible, and use CFCONTENT to serve the files. This is somewhat unsatisfactory also, since it requires you to use CF to serve files instead of your web server. That can cause performance problems on a busy site. 3. Configure CF to serve ALL files that may be downloaded through the site. This approach has the performance problems of the previous approach (and then some, potentially, since you may have files that are unrestricted but still processed by CF), but it doesn't require you to write any code. 4. Keep the files in a directory that's not web-accessible, but make the files or the directory web-accessible on a temporary basis. This can be done several ways: using symlinks, copying and deleting files, creating and destroying virtual directories in your web server. This is also somewhat unsatisfactory, since it requires you to write code to make this happen. However, it's the approach I prefer, as it solves the problems of the first three approaches. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330663 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4