Yes, you are right. You have to keep these files "behind" a .cfm page (or any dynamic page, for that matter).
You should keep your documents out of the web root so that they are not web-accessible. Your links would be formatted such as: www.mydomain.com/download.cfm&doc=123 In "download.cfm", you check to make sure the user has the appropriate authorization to view the file. If so, use CFCONTENT to drop the file to the browser. If not, show a "tsk-tsk" page. One other option is to store the files in a database, but that would not be required in this instance. It is just another solution to file storage. (This suggestion could also start one heckuva holy war!) M!ke -----Original Message----- From: Ryan Guill [mailto:[EMAIL PROTECTED] Sent: Monday, September 12, 2005 3:07 PM To: CF-Talk Subject: file system access security question Hey guys, A coworker asked me about this today and although I know there is an answer, and I am almost positive there is a very simple answer, for the life of me I can't think of it. Thinking forward about an upcomming project, we will have files that only certain parties are authorized to view. Binary files such as word documents, pdf files, excel documents, possibly images, etc. If we link to these files in a web page directly, there would be nothing stopping any savvy web-user from viewing the source and seeing where a file is stored, and possibly guessing where other files are stored. Of course they would not only have to guess the file structure (which would probably be relatively simple) but would also have to guess the filename (which could be harder, but still not impossible). So, how would restrict access to those files through the web short of pulling everything through flash or something? Is there a way to possibly make a temporary link to the file, or an actual temporary file, although both of those methods have noticable drawbacks. Would this be a case for cfcontent or cfheader? those are two tags I don't have a very good working knowledge of. Thanks guys for any response. -- Ryan Guill BlueEyesDevelopment [EMAIL PROTECTED] www.ryanguill.com (270) 217.2399 The Coldfusion Open Application Library - COAL - http://coal.ryanguill.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:217986 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
