Re: [ACFUG Discuss] Blocking a ColdFusion website's directory
For things like that I normally store them outside the webroot and then serve them via a cfcontent in a cfm script. Instead of a link like http://mysite/mypdf.pdf it would be http://mysite/getfile.cfm?var=myfile.pdf. That is very oversimplified, but captures the approach. From: Emile Melbourne emile.melbou...@gmail.com To: discussion@acfug.org Sent: Thursday, December 18, 2008 12:00:42 PM Subject: [ACFUG Discuss] Blocking a ColdFusion website's directory Hey Everyone, I am currently in the process of building my first secured site. Most pages of the site will be behind a login page. I'm using ColdFusion's Application.cfc onRequestStart function to check if a user is logged in or not. Thats pretty much boiler plate. My concern is how to prevent an non authorized user from accessing or hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt etc). Whats the best way to ensure a user can't link directly to these items but instead be redirected to login.cfm instead? Is there a way to lock down an entire directory? Thank you for all your help Emile - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] Blocking a ColdFusion website's directory
How does that work when you are serving a direct like to a PDF or a DOC? CF has nothing to do with that. From the original email: My concern is how to prevent an non authorized user from accessing or hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt etc). From: Troy Jones t...@dynapp.com To: discussion@acfug.org Sent: Thursday, December 18, 2008 12:19:28 PM Subject: RE: [ACFUG Discuss] Blocking a ColdFusion website's directory Emile, You can create a session variable that exists only when a user is logged in and test for that when a call comes in to your page. For example, in some include file or function, you could use a statement similar to this: cfif not session.loggedIn cflocation template=”login.cfm” /cfif If the existence of variable “loggedIn” is not present, the user will be redirected to the location you determine. As far as removing anonymous access to your content, there are a number of ways to do that. I will defer to some of the more experienced minds on the list for that one. Hope this helps, Troy Jones Dynapp Support Team 678-528-2952 From:ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Emile Melbourne Sent: Thursday, December 18, 2008 12:01 PM To: discussion@acfug.org Subject: [ACFUG Discuss] Blocking a ColdFusion website's directory Hey Everyone, I am currently in the process of building my first secured site. Most pages of the site will be behind a login page. I'm using ColdFusion's Application.cfc onRequestStart function to check if a user is logged in or not. Thats pretty much boiler plate. My concern is how to prevent an non authorized user from accessing or hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt etc). Whats the best way to ensure a user can't link directly to these items but instead be redirected to login.cfm instead? Is there a way to lock down an entire directory? Thank you for all your help Emile - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
RE: [ACFUG Discuss] Blocking a ColdFusion website's directory
Emile, if your site is running on IIS, another idea would be to use the .NET framework to secure the directories. You can find discussions in various .net articles/books/blogs. Here's one simplistic discussion from MS: http://support.microsoft.com/kb/893662 People don't tend to think of this because they think my code is in CF. But the whole point of this discussion is that you're talking about accessing non-CF files, and therefore can consider solutions that are not CF-based. Shawn's idea of CFCONTENT is of course a way to bring it back to CF's purview. It kind of all depends on what authentication mechanism you want to use: one under CF's control, or one you'd be willing to let be managed by something else (whether the CF, the web server or the .NET framework managing it, and whether-in the latter 2-your're using windows forms, passport, or windows authentication). Hope that's helpful. I do realize it's WAY outside the box. :-) /charlie From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Emile Melbourne Sent: Thursday, December 18, 2008 12:01 PM To: discussion@acfug.org Subject: [ACFUG Discuss] Blocking a ColdFusion website's directory Hey Everyone, I am currently in the process of building my first secured site. Most pages of the site will be behind a login page. I'm using ColdFusion's Application.cfc onRequestStart function to check if a user is logged in or not. Thats pretty much boiler plate. My concern is how to prevent an non authorized user from accessing or hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt etc). Whats the best way to ensure a user can't link directly to these items but instead be redirected to login.cfm instead? Is there a way to lock down an entire directory? Thank you for all your help Emile - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -