Bruce: I am just guessing, but is it maybe that the files that you need to protect are the *.class files that MX produces and not the *.cfm files?
Kory Bakken -----Original Message----- From: Bruce Phillips [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 8:11 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [KCFusion] ColdFusion File Security All: I hope you can provide me some guidance on the following issue and especially if my web host tech support is incorrect. I've run into an interesting security problem with ColdFusion. I am the web master for STFM.org We have protected various directories using our web hosts file permission interface on the control panel for our web site. For several directories we have set the user Everyone access to none for that directory and any files/sub directories in the directory. However, after moving to our new CF MX server, I noticed that the CF files in our protected directories are being served up even though the directory is protected (I checked to ensure it was still protected after the move). If you try to load a non-CF file (for example test.htm) that is located in the same protected directory, the server requests you provide a user name and password before it returns the file to your computer. The server does not do this with the CF file, it just returns the file. According to a phone conversation I had with one of our web host's tech support personnel late on 1 August, CF files are not protected by the file permissions settings on the Windows server since the CF MX server bypasses the web server to return the files to the browser. However, after consulting another very experienced ColdFusion Developer and checking the ColdFusion MX documentation (see http://download.macromedia.com/pub/coldfusion/documentation/cfmx_dev_cf_apps.pdf page 353) I've learned that basic HTTP authentication should protect CF files. I believe that the information I was given by the support technician to be incorrect. Removing the user Everyone's access in some of our sub-directories should also protect the CF files in those sub directories. Any information on your experience in using basic http authentication to protect CF files in a directory from being served up with the user entering a password and username would be appreciated. I really think the tech support is incorrect and there is some other problem on the web server. I don't want to use CFLOGIN or some other application login script if I don't have to. Thank You, Bruce Bruce Phillips Society of Teachers of Family Medicine 913-906-6000 ext 5405 [EMAIL PROTECTED] ______________________________________________________________________ The KCFusion.org list and website is hosted by Humankind Systems, Inc. List Archives........ http://www.mail-archive.com/[EMAIL PROTECTED] Questions, Comments or Glowing Praise.. mailto:[EMAIL PROTECTED] To Subscribe.................... mailto:[EMAIL PROTECTED] To Unsubscribe................ mailto:[EMAIL PROTECTED] ______________________________________________________________________ The KCFusion.org list and website is hosted by Humankind Systems, Inc. List Archives........ http://www.mail-archive.com/[EMAIL PROTECTED] Questions, Comments or Glowing Praise.. mailto:[EMAIL PROTECTED] To Subscribe.................... mailto:[EMAIL PROTECTED] To Unsubscribe................ mailto:[EMAIL PROTECTED]
