The company I work for used to use an outside company for web site development. The company went out of business and instead of looking on the outside for another one, they looked to me...the IT guy. I have experience with pHp and .NET applications but I am pretty new to Cold Fusion. It is pretty cool and I have gotten the hang of it pretty well, but I have one major problem. Our web site has certain areas which are restricted to logged in users with appropriate access. In these areas, users are able to browse and download our price sheets, technical documents, etc...in PDF, XLS, and DWG formats. It is easy enough for me to lock down the pages not to display links to the documents if a user doesn't meet certain user level requirements. However, that does not stop someone who knows what they are doing from simply typing in the url to that file to download it, even if they have the access. Typing say..... http://www.companywebpage.com/allthecompanysecrets.xls would allow them to download all of our company secrets without even logging in. Obviously it isn't likely that someone would be poking around and trying random file names but I'd rather not take that chance. The site is hosted offsite by a different company. They are running Windows Server 2000 with Coldfusion 7, IIS, and .NET 2.0. I could probably get the company to lock down the directories using IIS, but that seems unnecessarily complex and I do not have access to the IIS console anyway. I looked around the web and cannot find any good general tutorials on locking down documents. Anyone know of a good place I can look? Thanks, Andy
Hello Andy Instead of giving someone the full path to the download eg.) http://www.mysite.com/file/download.xsl you could have something similar to this http://www.mysite.com/download.cfm?do=file-coded-in-a-secret-way or UUID() ( Thats what I would use ) or you could even upgrade to CF9 and use virtual memory to create, and let user download the file. Also, in my experience you should never ever ever and I mean ever put critical data on your site that could potentially do harm. You have also got to remember that someone could copy the download link by right clicking and posting it on a forum for other to see which also makes another problem. I would really use coldfusion PDF feature to create the documents just convert your PDFS and XLS to run with the document rendering that is in coldfusion 9 and yes you can render spreadsheets now in cf9 its amazing...
The best CF-specific solution to prevent direct access is to move the physical files _outside_ of any web accessible directory. Then use <cfcontent> to serve up the files. That way the files can only be accessed through your CF page. I assume you mean even if they _don't_ have access? Though realistically, once you make information available for display or download, you have absolutely _no_ control over what happens to it from there. I saw one post where a person was exporting full CC information to xls files. (They were probably storing the data in Access too). Now there is a law suit just waiting to happen ... Wise choice