Hey, Fellow Web Coders...

[the_gneech]

So I'm building a site in ColdFusion in which there are data files (e.g., MS Word Documents) that are linked to for download in a password-protected area of the site. The problem is, since the files are not .CFM files, linking directly to them bypasses the "application.cfm" file and thus bypasses the password protection script.

So what I need to do is find some way to prevent people from figuring out the links, or to make it so that linking directly to the file doesn't work. While I don't think it's particularly likely that people who have been given password access are going to just send people direct links to these files right and left, I have to build the page assuming that sooner or later, due to malice or stupidity, they will.

So ... any suggestions?

IMPORTANT NOTE: I am not allowed to use Javascript.

-The Gneech

Comments

[bigtig.livejournal.com]

Option 1 - Use the webserver's protection files. In "apache" brand-land this is via the use of .htaccess files which forces a username and password popup before you can access anything within a directory structure. You can keep usernames and passwords in sync by writing the physical password file on the server when a password is changed. Clunky but simple. I'm guessing Netscape Cold Fusion has similar facilities.

Option 2 - Use the webserver's auth methods via your program directly. That is, your code ties into "apache" mod_auth plugin and if someone fails a session check it signals the web server to not allow them access in the area. This is the most optimal solution from an web application point of view, however it requires access to the server app and also a fair amount of coding, thus, option #3:

Option 3 - old school method - Write a file.cfm that serves the files. Quite literally it checks the users authentication, etc, and then based upon form submits or the encoded URL info it copies a file off the drive, slaps a content header on it, and spits it out. If the user fails auth, it should throw a CGI redirect to a standard error page. The only downside to this is you're forking a CGI process for each hit, but requires no server work or javascripty or nothing. Also make sure it can't be teased to serve up anything but the files you want. Old school.

[daemionfox.livejournal.com]

I was going to suggest #3 myself. Write a CF script that grabs the files from somewhere not-web-space, slaps the appropriate content header and reads the file into the script itself.

[the-gneech.livejournal.com]

I'm trying #3 now, actually ... but so far it's way over my head. Guess it's time to sit and puzzle over da manual.

-TG

[laurie-robey.livejournal.com]

We have a Windows server rather than a Unix server.

[fferret.livejournal.com]

Yes, I have a suggestion. Don't use obsolete web technologies to build sites. You're welcome. (*winks*) Apropos of nothing related to this thread, farewell to pholph, he'll be missed. Do you want to work out a gamedate for a tryout?

[the-gneech.livejournal.com]

We can probably arrange something in a few weeks if you'd like to come 'round for a game, but it won't be for a bit 'cause of RL interference. Send me a note via thegneech at gmail.

-TG

[fferret.livejournal.com]

WHAT!?!?! You actually let Life come before gaming!?!? Fie on thee, sirrah! (*grins, chuckling*) Sure thing, Gneech.

[fferret.livejournal.com]

Oh, also...use the .htaccess file. Works a treat!