RE: [ACFUG Discuss] Blocking a ColdFusion website's directory

2008-12-18 Thread Charlie Arehart
Emile, if your site is running on IIS, another idea would be to use the .NET
framework to secure the directories. You can find discussions in various
.net articles/books/blogs. Here's one simplistic discussion from MS:
http://support.microsoft.com/kb/893662

 

People don't tend to think of this because they think "my code is in CF".
But the whole point of this discussion is that you're talking about
accessing non-CF files, and therefore can consider solutions that are not
CF-based. Shawn's idea of CFCONTENT is of course a way to bring it back to
CF's purview. It kind of all depends on what authentication mechanism you
want to use: one under CF's control, or one you'd be willing to let be
managed by something else (whether the CF, the web server or the .NET
framework managing it, and whether-in the latter 2-your're using windows
forms, passport, or windows authentication).

 

Hope that's helpful. I do realize it's WAY outside the box. :-)

 

/charlie

 

From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Emile Melbourne
Sent: Thursday, December 18, 2008 12:01 PM
To: discussion@acfug.org
Subject: [ACFUG Discuss] Blocking a ColdFusion website's directory

 

Hey Everyone,

 

I am currently in the process of building my first secured site.  Most pages
of the site will be behind a login page.  I'm using ColdFusion's
Application.cfc onRequestStart function to check if a user is logged in or
not.  Thats pretty much boiler plate.

 

My concern is how to prevent an non authorized user from accessing or
hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt etc).

 

Whats the best way to ensure a user can't link directly to these items but
instead be redirected to login.cfm instead?

 

Is there a way to lock down an entire directory?

 

Thank you for all your help

Emile

 


- 
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink   
- 




-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-



Re: [ACFUG Discuss] Blocking a ColdFusion website's directory

2008-12-18 Thread Teddy R. Payne
Emile,
>From your description, you really need to define what "authorized" and "not
authorized" means.

This will help clarify to the people assisting you as to the approach they
can suggest.

As "authorization" and "authentication" often times are used interchangeably
by developers when in fact they represent two distinctly different topics.

Teddy R. Payne, ACCFD
Google Talk - teddyrpa...@gmail.com



On Thu, Dec 18, 2008 at 12:00 PM, Emile Melbourne  wrote:

> Hey Everyone,
>
> I am currently in the process of building my first secured site.  Most
> pages of the site will be behind a login page.  I'm using ColdFusion's
> Application.cfc onRequestStart function to check if a user is logged in or
> not.  Thats pretty much boiler plate.
>
> My concern is how to prevent an non authorized user from accessing or
> hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt etc).
>
> Whats the best way to ensure a user can't link directly to these items but
> instead be redirected to login.cfm instead?
>
> Is there a way to lock down an entire directory?
>
> Thank you for all your help
> Emile
>
>
> -
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?fa=login.edituserform
>
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by FusionLink 
> -



-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-



Re: [ACFUG Discuss] Blocking a ColdFusion website's directory

2008-12-18 Thread shawn gorrell
How does that work when you are serving a direct like to a PDF or a DOC? CF has 
nothing to do with that. 

From the original email:

My concern is how to prevent an non authorized user from
accessing or hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt
etc).





From: Troy Jones 
To: discussion@acfug.org
Sent: Thursday, December 18, 2008 12:19:28 PM
Subject: RE: [ACFUG Discuss] Blocking a ColdFusion website's directory

 
Emile,
 
You can create a session variable that exists only when a user
is logged in and test for that when a call comes in to your page. For example,
in some include file or function, you could use a statement similar to this:
 



 
If the existence of variable “loggedIn” is not
present, the user will be redirected to the location you determine.
 
As far as removing anonymous access to your content, there are a
number of ways to do that. I will defer to some of the more experienced minds
on the list for that one.
 
Hope this helps,
 
Troy
Jones
Dynapp Support Team
678-528-2952
 
 
From:ad...@acfug.org
[mailto:ad...@acfug.org] On Behalf Of Emile Melbourne
Sent: Thursday, December 18, 2008 12:01 PM
To: discussion@acfug.org
Subject: [ACFUG Discuss] Blocking a ColdFusion website's directory
 
Hey Everyone,
 
I am currently in the process of building my first secured
site.  Most pages of the site will be behind a login page.  I'm using
ColdFusion's Application.cfc onRequestStart function to check if a user is
logged in or not.  Thats pretty much boiler plate.
 
My concern is how to prevent an non authorized user from
accessing or hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt
etc).
 
Whats the best way to ensure a user can't link directly to
these items but instead be redirected to login.cfm instead?
 
Is there a way to lock down an entire directory?
 
Thank you for all your help
Emile
 

- 
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink 
- 
- 
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink 
-


-

To unsubscribe from this list, manage your profile @ 

http://www.acfug.org?fa=login.edituserform



For more info, see http://www.acfug.org/mailinglists

Archive @ http://www.mail-archive.com/discussion%40acfug.org/

List hosted by http://www.fusionlink.com

-




RE: [ACFUG Discuss] Blocking a ColdFusion website's directory

2008-12-18 Thread Troy Jones
Emile,

 

You can create a session variable that exists only when a user is logged
in and test for that when a call comes in to your page. For example, in
some include file or function, you could use a statement similar to
this:

 







 

If the existence of variable "loggedIn" is not present, the user will be
redirected to the location you determine.

 

As far as removing anonymous access to your content, there are a number
of ways to do that. I will defer to some of the more experienced minds
on the list for that one.

 

Hope this helps,

 

Troy Jones

Dynapp Support Team

678-528-2952

 

 

From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Emile
Melbourne
Sent: Thursday, December 18, 2008 12:01 PM
To: discussion@acfug.org
Subject: [ACFUG Discuss] Blocking a ColdFusion website's directory

 

Hey Everyone,

 

I am currently in the process of building my first secured site.  Most
pages of the site will be behind a login page.  I'm using ColdFusion's
Application.cfc onRequestStart function to check if a user is logged in
or not.  Thats pretty much boiler plate.

 

My concern is how to prevent an non authorized user from accessing or
hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt etc).

 

Whats the best way to ensure a user can't link directly to these items
but instead be redirected to login.cfm instead?

 

Is there a way to lock down an entire directory?

 

Thank you for all your help

Emile

 


- 
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink   
- 




-

To unsubscribe from this list, manage your profile @ 

http://www.acfug.org?fa=login.edituserform



For more info, see http://www.acfug.org/mailinglists

Archive @ http://www.mail-archive.com/discussion%40acfug.org/

List hosted by http://www.fusionlink.com

-




Re: [ACFUG Discuss] Blocking a ColdFusion website's directory

2008-12-18 Thread shawn gorrell
For things like that I normally store them outside the webroot and then serve 
them via a cfcontent in a cfm script. Instead of a link like 
http://mysite/mypdf.pdf it would be http://mysite/getfile.cfm?var=myfile.pdf.

That is very oversimplified, but captures the approach. 





From: Emile Melbourne 
To: discussion@acfug.org
Sent: Thursday, December 18, 2008 12:00:42 PM
Subject: [ACFUG Discuss] Blocking a ColdFusion website's directory


Hey Everyone,
 
I am currently in the process of building my first secured site.  Most pages of 
the site will be behind a login page.  I'm using ColdFusion's Application.cfc 
onRequestStart function to check if a user is logged in or not.  Thats pretty 
much boiler plate.
 
My concern is how to prevent an non authorized user from accessing or 
hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt etc).
 
Whats the best way to ensure a user can't link directly to these items but 
instead be redirected to login.cfm instead?
 
Is there a way to lock down an entire directory?
 
Thank you for all your help
Emile
 
- 
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink 
- 


-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-