I put stuff like that on S3, with read access denied. When someone wants to view the resource, they're sent to a proxy page (written in CF or whatever) that will build a signed URL that will allow them read access to the resource for a period of time (a few minutes, a couple hours, whatever is appropriate), and then redirect them to it.
This way I don't have to use CFCONTENT to serve back the files, which can put a lot of request load on your server, particularly if you have large files. For example: http://private.barneyb.com.s3.amazonaws.com/test.txt http://private.barneyb.com.s3.amazonaws.com/test.txt?AWSAccessKeyId=0YVN1G49J71QKD4Y0982&Expires=1248891355&Signature=3cG84/WwhT5JCSv5BgEHW22ZQ9Y%3D The latter link is good for 24 hours, so will expire around 11:15 US Pacific time on July 29th 2009. cheers, barneyb On Tue, Jul 28, 2009 at 11:11 AM, Scott Mulholland<[email protected]> wrote: > > I imagine this is a common issue : > > > > Let's say you have bunch of PDFs in a directory: /pdfs and the links to the > files in the site are behind a login so non-registered users cannot access > them. If a users knew the link to the file: > http://www.mysite.com/pdfs/sample.pdf they could still get to it in the > browser without signing in. Is there any way outside of windows > authentication at the directory level to prevent this? What is the standard > way of dealing with this (if any)? > > > > Thanks, > > Scott > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325048 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
