Mischa, Yes, but as you can see from Shawn's comment that Shawn was approaching the topic from the point of authorization. From the response by Troy, this leads to authentication.
So, his usage of diction or use of the word is indeed correct, but not everyone interpreted it that way as it still provided some confusion regardless. The solution may very well use both concepts to achieve his desired result. A use that I have witnessed has to deal with Shawn's suggestion of putting the files in a non-webroot accessible directory or network source. Then a controller mechanism would have to understand how to "serve once" either through a mechanism of of being an authenticated user with an authorized role of being able to see a document. Or, the the site does not have authentication and the mechanism must have a more introspective ability to discern a user through their token, IP or whatever. The public approach would suggest a tracking process to see if a particular requestor has asked for the document before or not. This also brings up the question, how do you determine who has the authorization to request a particular artifact multiple times? This may be over complicating his initial scope of the application, but these are questions that I would ask whenever someone would task me with a File serving application on potentially limited released documents. In any event, I was not criticizing Emile. I was asking for more detail before offering generic advice/guidance. Teddy R. Payne, ACCFD Google Talk - teddyrpa...@gmail.com On Thu, Dec 18, 2008 at 1:32 PM, Mischa Uppelschoten ext 10 < mischa.uppelscho...@bankersx.com> wrote: > OP never used the word "authentication". From wikipedia: "authorization is > the concept of allowing access to resources only to those permitted to use > them." Seems to me he used the term properly. > /m > > > > : Emile, > : From your description, you really need to define what "authorized" and > "not > : authorized" means. > > : This will help clarify to the people assisting you as to the approach > they can > : suggest. > > : As "authorization" and "authentication" often times are used > interchangeably > : by developers when in fact they represent two distinctly different > topics. > > : Teddy R. Payne, ACCFD > : Google Talk - teddyrpa...@gmail.com > > > > > : On Thu, Dec 18, 2008 at 12:00 PM, Emile Melbourne < > emile.melbou...@gmail.com> > : wrote: > > > : Hey Everyone, > : > : I am currently in the process of building my first secured site. > Most pages > : of the site will be behind a login page. I'm using ColdFusion's > : Application.cfc onRequestStart function to check if a user is logged in > or > : not. Thats pretty much boiler plate. > : > : My concern is how to prevent an non authorized user from accessing or > : hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt etc). > : > : Whats the best way to ensure a user can't link directly to these > items but > : instead be redirected to login.cfm instead? > : > : Is there a way to lock down an entire directory? > : > : Thank you for all your help > : Emile > : > > : ------------------------------------------------------------- > : To unsubscribe from this list, manage your profile @ > : http://www.acfug.org?fa=login.edituserform > : > : For more info, see http://www.acfug.org/mailinglists > : Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > : List hosted by FusionLink <http://www.fusionlink.com> > : ------------------------------------------------------------- > > > > : ------------------------------------------------------------- > : To unsubscribe from this list, manage your profile @ > : http://www.acfug.org?fa=login.edituserform > > : For more info, see http://www.acfug.org/mailinglists > : Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > : List hosted by FusionLink <http://www.fusionlink.com> > : ------------------------------------------------------------- > > > > > > > ---------- Original Message ---------- > > FROM: "Teddy R. Payne" <teddyrpa...@gmail.com> > TO: <discussion@acfug.org> > DATE: Thu, 18 Dec 2008 13:25:15 -0500 > > SUBJECT: Re: [ACFUG Discuss] Blocking a ColdFusion website's directory > > Emile, > From your description, you really need to define what "authorized" and "not > authorized" means. > > This will help clarify to the people assisting you as to the approach they > can suggest. > > As "authorization" and "authentication" often times are used > interchangeably by developers when in fact they represent two distinctly > different topics. > > Teddy R. Payne, ACCFD > Google Talk - teddyrpa...@gmail.com > > > > > On Thu, Dec 18, 2008 at 12:00 PM, Emile Melbourne < > emile.melbou...@gmail.com> wrote: > > > Hey Everyone, > > I am currently in the process of building my first secured site. Most > pages of the site will be behind a login page. I'm using ColdFusion's > Application.cfc onRequestStart function to check if a user is logged in or > not. Thats pretty much boiler plate. > > My concern is how to prevent an non authorized user from accessing or > hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt etc). > > Whats the best way to ensure a user can't link directly to these items > but instead be redirected to login.cfm instead? > > Is there a way to lock down an entire directory? > > Thank you for all your help > Emile > > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by FusionLink <http://www.fusionlink.com> > ------------------------------------------------------------- > > > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by FusionLink <http://www.fusionlink.com> > ------------------------------------------------------------- > > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?falogin.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > ------------------------------------------------------------- > > > > ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------