I hope you can provide me some guidance on the following issue and
especially if my web host tech support is incorrect.

   I've run into an interesting security problem with ColdFusion.  I am
the web master for
   We have protected various directories using our web hosts file
permission interface on the control panel for our web site.  For several
directories we have set the user Everyone access to none for that
directory and any files/sub directories in the directory.
   However, after moving to our new CF MX server, I noticed that the CF
files in our protected directories are being served up even though the
directory is protected (I checked to ensure it was still protected after
the move).  If you try to load a non-CF file (for example test.htm) that
is located in the same protected directory, the server requests you
provide a user name and password before it returns the file to your
computer.  The server does not do this with the CF file, it just returns
the file.
   According to a phone conversation I had with one of our web host's
tech support personnel late on 1 August, CF files are not protected by
the file permissions settings on the Windows server since the CF MX
server bypasses the web server to return the files to the browser.  

   However, after consulting another very experienced ColdFusion
Developer and checking the ColdFusion MX documentation (see
page 353) I've learned that basic HTTP authentication should protect CF
files.  I believe that the information I was given by the support
technician to be incorrect.  Removing the user Everyone's access in some
of our sub-directories should also protect the CF files in those sub

Any information on your experience in using basic http authentication to
protect CF files in a directory from being served up with the user
entering a password and username would be appreciated.  I really think
the tech support is incorrect and there is some other problem on the web

I don't want to use CFLOGIN or some other application login script if I
don't have to.

Thank You,

Bruce Phillips
Society of Teachers of Family Medicine
913-906-6000 ext 5405

The list and website is hosted by Humankind Systems, Inc.
List Archives........[EMAIL PROTECTED]
Questions, Comments or Glowing Praise.. mailto:[EMAIL PROTECTED]
To Subscribe.................... mailto:[EMAIL PROTECTED]
To Unsubscribe................ mailto:[EMAIL PROTECTED]

Reply via email to