Re: WOT: Securing word docs, excel, etc in a web app
Make certain the hosting provider gives you access to directories outside of your web root. Store the members only files in those directories and deliver them to members using cfontent hth Isaac -- Original Message -- From: Griffin [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Aug 21, 2003 02:11 PM Subject: Re: WOT: Securing word docs, excel, etc in a web app Hi, This is off topic, but I am sure many of you have had to deal with issues such as these in the past. I have been living in a bubble for the past 3 years and have developped many web apps in CF, ASP and JSP on secure networks with no Internet connection. For the first time, I am building an Internet based web app in CF. Creating the members only portion with user authentication and so on is no problem. However, the site's main focus is to share research data among members. Most members want to upload MS Word docs, MS Excel docs and PDFs. The site will be hosted at an ISP, so using IIS or NT security is not an option. So here is my dilema, once I have uploaded documents that I only want members to access, how can I achieve something better than security through obscurity and prevent people from stumbling on the docs by guessing or as the result of a search engine search? Same question for images. There will be images in .jpg and .gif format which are destined for members eyes only. Any recommendations appreciated. Grif ~| Archives: http://www.houseoffusion.com/lists.cfm?link=t:4 Subscription: http://www.houseoffusion.com/lists.cfm?link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Get the mailserver that powers this list at http://www.coolfusion.com
Re: WOT: Securing word docs, excel, etc in a web app
Use CFCONTENT to push the documents from a directory that is not accessible via the webroot: CFHEADER NAME=Content-Disposition VALUE=attachment; filename=#download.filename# CFCONTENT TYPE=#mimetype# FILE=#sharedfiles#\#download.filename# DELETEFILE=No Where sharedfiles is a directory off the webroot... Hi, This is off topic, but I am sure many of you have had to deal with issues such as these in the past. I have been living in a bubble for the past 3 years and have developped many web apps in CF, ASP and JSP on secure networks with no Internet connection. For the first time, I am building an Internet based web app in CF. Creating the members only portion with user authentication and so on is no problem. However, the site's main focus is to share research data among members. Most members want to upload MS Word docs, MS Excel docs and PDFs. The site will be hosted at an ISP, so using IIS or NT security is not an option. So here is my dilema, once I have uploaded documents that I only want members to access, how can I achieve something better than security through obscurity and prevent people from stumbling on the docs by guessing or as the result of a search engine search? Same question for images. There will be images in .jpg and .gif format which are destined for members eyes only. Any recommendations appreciated. Grif ~| Archives: http://www.houseoffusion.com/lists.cfm?link=t:4 Subscription: http://www.houseoffusion.com/lists.cfm?link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
RE: WOT: Securing word docs, excel, etc in a web app
Well, if the ISP/Host is on top of things, they'll let you have a folder outside your web root. Then you can call the files with something like cfcontent (if they allow it). If those two pieces fall into place, then you can devise some type of encryption string to mask the variables which call the files, or you could have a table with IDs and pointers to the files in the folder outside of the web root. Hope that helps, Ryan -Original Message- From: Griffin [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 1:11 PM To: CF-Talk Subject: WOT: Securing word docs, excel, etc in a web app Hi, This is off topic, but I am sure many of you have had to deal with issues such as these in the past. I have been living in a bubble for the past 3 years and have developped many web apps in CF, ASP and JSP on secure networks with no Internet connection. For the first time, I am building an Internet based web app in CF. Creating the members only portion with user authentication and so on is no problem. However, the site's main focus is to share research data among members. Most members want to upload MS Word docs, MS Excel docs and PDFs. The site will be hosted at an ISP, so using IIS or NT security is not an option. So here is my dilema, once I have uploaded documents that I only want members to access, how can I achieve something better than security through obscurity and prevent people from stumbling on the docs by guessing or as the result of a search engine search? Same question for images. There will be images in .jpg and .gif format which are destined for members eyes only. Any recommendations appreciated. Grif ~| Archives: http://www.houseoffusion.com/lists.cfm?link=t:4 Subscription: http://www.houseoffusion.com/lists.cfm?link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Get the mailserver that powers this list at http://www.coolfusion.com
Re: WOT: Securing word docs, excel, etc in a web app
Two choices: 1) Place the files in a non-web accessible directory. Then, create a CF template that retrieves the file from the non-web accessible directory. 2) Place the files into a database. Then, create a CF template that retrieves the file from the database. - Original Message - From: Griffin [EMAIL PROTECTED] Date: Thursday, August 21, 2003 12:11 pm Subject: WOT: Securing word docs, excel, etc in a web app Hi, This is off topic, but I am sure many of you have had to deal with issues such as these in the past. I have been living in a bubble for the past 3 years and have developpedmany web apps in CF, ASP and JSP on secure networks with no Internet connection. For the first time, I am building an Internet based web app in CF. Creating the members only portion with user authentication and so on is no problem. However, the site's main focus is to share research data among members.Most members want to upload MS Word docs, MS Excel docs and PDFs. The site will be hosted at an ISP, so using IIS or NT security is not an option. So here is my dilema, once I have uploaded documents that I only want members to access, how can I achieve something better than security through obscurity and prevent people from stumbling on the docs by guessing or as the result of a search engine search? Same question for images. There will be images in .jpg and .gif format which are destinedfor members eyes only. Any recommendations appreciated. Grif ~| Archives: http://www.houseoffusion.com/lists.cfm?link=t:4 Subscription: http://www.houseoffusion.com/lists.cfm?link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. http://www.cfhosting.com
Re: WOT: Securing word docs, excel, etc in a web app
Hopefully your ISP can provide you with access to someplace outside of the web root, first of all. Something that can be accessed by CF via a local path but not from a browser via ftp or http. What you want to do is use cfcontent and push files to clients, rather than letting them be accessible via direct links. Once you do that, you can enforce whatever permissions your CF app allows. Your link on a page pointing to a document: a href=myfiledelivery.cfm?FID=#myFiles.uniqueIDorFileName# target=_blank myfiledelivery.cfm contains: ...Security goes here... ...maybe a query here that uses url.FID to pull the filename, if you just pass a pk in the url... cfmodule template=mytags/pushthefile.cfm FilePath=#request.myOffWebFilePath# FileName=#theFileName# MailTo=#theAdmin'sEmailAddress# and the file pusher tag itself: cfparam name=attributes.FilePath default= TYPE=string cfparam name=attributes.FileName default= TYPE=string cfif Len(attributes.FileName) cfset variables.FileToPush=attributes.FilePathattributes.FileName cfif FileExists(variables.FileToPush) cfheader name=Content-Disposition value=attachment; filename=#attributes.FileName# cfcontent type=application/unknown file=#variables.FileToPush# cfelse centerh1Sorry, File Does Not Exist/h1/center cfabort /cfif cfelse centerh1No File Selected/h1/center cfabort /cfif The above will always force a download/open dialog to come up, no matter what the file type. I use this to push pdf's that display immediately in the browser: cfheader name=content-disposition value=inline; filename=#attributes.FileName# cfcontent type=application/pdf file=#variables.FileToPush# HtH, -- --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- ~| Archives: http://www.houseoffusion.com/lists.cfm?link=t:4 Subscription: http://www.houseoffusion.com/lists.cfm?link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. http://www.cfhosting.com