RE: Directory Security

Tue, 25 Apr 2000 07:58:20 -0700 

You are correct that the application.cfm will only do it's security check on
cfm files.  One way to handle your other files is to store them in a
directory path that is not underneath the web server's root.  This will
prevent someone from putting in a direct path to the files.  You can use
cffile to put the files anywhere on the server that you have access to.
Then in your application, use cfcontent to actually deliver the files.  That
way, the only files that your user's have access to are the cf files that go
and retrieve the other files and serve them up.

-greg


============================
Greg Bray
eCalton.com, Inc.
(561) 569-4500
(561) 569-6360 Fax
http://www.ecalton.com
[EMAIL PROTECTED]


-----Original Message-----
From: Wey Hueymeei [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 25, 2000 10:08 AM
To: [EMAIL PROTECTED]
Subject: Directory Security



Hello,

We have a security system built in application.cfm, which disallow users to
access our site without providing valid username and password.
ie. when a user put URL on the location bar, if he has not logged in, he
would be redirected to the login page first before seeing the actual page.

But we just have a security problem with the system:  There is a directory
for users to upload files. If the file is not in CFM format, it seems like
that the application.cfm cannot do security check. Therefore, if the person
knows the URL, he could see the page without logging into the system.

Could anybody help?

thanks in advance,

Hueymeei


----------------------------------------------------------------------------
--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Reply via email to