Re: SOT: directory protection
Well, if you're going to use CFCONTENT to serve the files, there's no point in renaming them, is there? Yes, if you cannot store them in some non Web accessible directory, which was my case for many years before I got my own dedicated server. By renaming them .cfm, they are automatically protected by some Application.cfm in the same directory. From: =?ISO-8859-1?Q?Claude_Schn=E9egans schneeg...@interneti=71?= =?ISO-8859-1?Q?ue.com=3E?= I don't know if that's a problem with your mail client, or with the list, but I thought you might want to know. I'd have sent this to you directly, but I'm too lazy to decypher the escaped characters. Well, I think its a problem with Gmail. My name have an accented character in it, and it is encoded inencoded-word format by Thunderbird wich is an SMTP standard. Every thing looks correct to me with Thundebird. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330695 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SOT: directory protection
Well, if you're going to use CFCONTENT to serve the files, there's no point in renaming them, is there? Yes, if you cannot store them in some non Web accessible directory, which was my case for many years before I got my own dedicated server. By renaming them .cfm, they are automatically protected by some Application.cfm in the same directory. Were you using IIS or apache in those days? If the latter, an .htaccess file could have been placed in the directory to deny access. Shared hosting on IIS give you no such ability though. ~Brad ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330696 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
SOT: directory protection
We have an app with a protected area that just using a basic session check in application.cfm. In the protected area there is a directory of PDFs. No one can access them through the app without logging in. If the person knew the url to the pdf though it would serve since application.cfm would not run to check the session. Is there any quick way to secure these? Maybe with windows authentication? I know we could make a cfm page to look up and serve the file so the link to the pdf is never exposed but these are uploaded via a cms and the link put into the page by the client that would be more of a training exercise to make sure they are using the right link to the pdf, etc. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330647 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SOT: directory protection
Why not route the downloads through a single CFM file (download.cfm?f=some identifier) and then use CFCONTENT to serve up the PDF file. On Fri, Feb 12, 2010 at 10:38 AM, Scott Mulholland smulholl...@aimg.comwrote: We have an app with a protected area that just using a basic session check in application.cfm. In the protected area there is a directory of PDFs. No one can access them through the app without logging in. If the person knew the url to the pdf though it would serve since application.cfm would not run to check the session. Is there any quick way to secure these? Maybe with windows authentication? I know we could make a cfm page to look up and serve the file so the link to the pdf is never exposed but these are uploaded via a cms and the link put into the page by the client that would be more of a training exercise to make sure they are using the right link to the pdf, etc. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330648 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SOT: directory protection
We have an app with a protected area that just using a basic session check in application.cfm. In the protected area there is a directory of PDFs. No one can access them through the app without logging in. If the person knew the url to the pdf though it would serve since application.cfm would not run to check the session. Is there any quick way to secure these? Maybe with windows authentication? I know we could make a cfm page to look up and serve the file so the link to the pdf is never exposed but these are uploaded via a cms and the link put into the page by the client that would be more of a training exercise to make sure they are using the right link to the pdf, etc. This kind of thing comes up quite a bit on the list, did you search the archives? Your options are: 1. Implement web server authentication on a per-directory basis. This is somewhat unsatisfactory, since it would require authenticated users to reenter their credentials when downloading the PDF from within the CMS. 2. Place the files in a directory that's not web-accessible, and use CFCONTENT to serve the files. This is somewhat unsatisfactory also, since it requires you to use CF to serve files instead of your web server. That can cause performance problems on a busy site. 3. Configure CF to serve ALL files that may be downloaded through the site. This approach has the performance problems of the previous approach (and then some, potentially, since you may have files that are unrestricted but still processed by CF), but it doesn't require you to write any code. 4. Keep the files in a directory that's not web-accessible, but make the files or the directory web-accessible on a temporary basis. This can be done several ways: using symlinks, copying and deleting files, creating and destroying virtual directories in your web server. This is also somewhat unsatisfactory, since it requires you to write code to make this happen. However, it's the approach I prefer, as it solves the problems of the first three approaches. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or o ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330663 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SOT: directory protection
5. rename all you pdf files with cfm extensions so that if users call them they will be filtered by application.cfm and use some download CF code like GetPdf.cfm?file=MyPdf that will send MyPdf.cfm as a pdf file using CFCONTENT. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330681 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SOT: directory protection
I would not include renaming PDF files as an option, since the #3 option in Dave's list is a similar idea that is better. ColdFusion can handle PDF files as if they were CFM files without changing the PDF file extension. Keep in mind that if CF starts serving a large downloadable file, it will tie up one of the limited CF processing threads, which I believe is the performance issue Dave is suggesting with #2 and #3. When all the CF processing threads are busy, incoming requests start to queue up, even if CF isn't doing much of anything. -Mike Chabot On Fri, Feb 12, 2010 at 8:04 PM, wrote: 5. rename all you pdf files with cfm extensions so that if users call them they will be filtered by application.cfm and use some download CF code like GetPdf.cfm?file=MyPdf that will send MyPdf.cfm as a pdf file using CFCONTENT. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330683 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SOT: directory protection
I would not include renaming PDF files as an option, since the #3 option in Dave's list is a similar idea that is better. I suppose you mean solution #4, which is not a bad idea indeed, if you can create a non Web accessible directory, which is not always allowed by all providers. My solution is an alternative which does not require some special directory. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330684 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SOT: directory protection
5. rename all you pdf files with cfm extensions so that if users call them they will be filtered by application.cfm and use some download CF code like GetPdf.cfm?file=MyPdf that will send MyPdf.cfm as a pdf file using CFCONTENT. Well, if you're going to use CFCONTENT to serve the files, there's no point in renaming them, is there? By the way, Claude, your email address isn't showing up properly in list messages. It's showing up blank in the From part of my mail client (Gmail) and like this in the message headers: From: =?ISO-8859-1?Q?Claude_Schn=E9egans schneeg...@interneti=71?= =?ISO-8859-1?Q?ue.com=3E?= I don't know if that's a problem with your mail client, or with the list, but I thought you might want to know. I'd have sent this to you directly, but I'm too lazy to decypher the escaped characters. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330687 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
