I guess it was bound to happen
Hello everyone. I have a site where a password is required to access the site. On pages in the site, there are links to download files. I set the appropriate meta tags and robots.txt to tell the search engines to not spyder the site. Though the site pages are not in google, the files are showing up. that's bad. It's a lot of files, so before I code up a solution to access all the through logic so I can control the permissions, is there some way to protect a directory so that files can't be downloaded without being logged in on the site? My guess is the answer is no, but I thought I would ask. -RR ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352081 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: I guess it was bound to happen
Are you using IIS security for login or CFM security? On Fri, Aug 10, 2012 at 1:02 PM, Robert Rhodes rrhode...@gmail.com wrote: Hello everyone. I have a site where a password is required to access the site. On pages in the site, there are links to download files. I set the appropriate meta tags and robots.txt to tell the search engines to not spyder the site. Though the site pages are not in google, the files are showing up. that's bad. It's a lot of files, so before I code up a solution to access all the through logic so I can control the permissions, is there some way to protect a directory so that files can't be downloaded without being logged in on the site? My guess is the answer is no, but I thought I would ask. -RR ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352082 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: I guess it was bound to happen
CF can only protect CF files if they web accessible. If you request a PDF file for example, CF is never involve din this process. The best solution is to use server side security to password protect folder and not CF. If you are on APACHE then simply use .htaccess for this. If you are on windows/IIS then take a look at Helicon APE On Fri, Aug 10, 2012 at 7:02 PM, Robert Rhodes rrhode...@gmail.com wrote: Hello everyone. I have a site where a password is required to access the site. On pages in the site, there are links to download files. I set the appropriate meta tags and robots.txt to tell the search engines to not spyder the site. Though the site pages are not in google, the files are showing up. that's bad. It's a lot of files, so before I code up a solution to access all the through logic so I can control the permissions, is there some way to protect a directory so that files can't be downloaded without being logged in on the site? My guess is the answer is no, but I thought I would ask. -RR ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352083 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: I guess it was bound to happen
The only way to reliably do this is to make it so the files' directory is not accessible via HTTP. The two most common ways to do this are: - put directory above / outside the webroot - tell IIS / Apache / webserver to disregard directory (if it's under / inside webroot) ...and then retrieve / serve files using CFML tags: http://ray.camdenfamily.com/index.cfm/2006/3/10/Ask-a-Jedi-Using-ColdFusion-to-serve-files On Fri, Aug 10, 2012 at 2:02 PM, Robert Rhodes rrhode...@gmail.com wrote: Hello everyone. I have a site where a password is required to access the site. On pages in the site, there are links to download files. I set the appropriate meta tags and robots.txt to tell the search engines to not spyder the site. Though the site pages are not in google, the files are showing up. that's bad. It's a lot of files, so before I code up a solution to access all the through logic so I can control the permissions, is there some way to protect a directory so that files can't be downloaded without being logged in on the site? My guess is the answer is no, but I thought I would ask. -RR ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352084 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: I guess it was bound to happen
+1 what John said, I was just going to send the same link =] On Fri, Aug 10, 2012 at 11:07 AM, John M Bliss bliss.j...@gmail.com wrote: The only way to reliably do this is to make it so the files' directory is not accessible via HTTP. The two most common ways to do this are: - put directory above / outside the webroot - tell IIS / Apache / webserver to disregard directory (if it's under / inside webroot) ...and then retrieve / serve files using CFML tags: http://ray.camdenfamily.com/index.cfm/2006/3/10/Ask-a-Jedi-Using-ColdFusion-to-serve-files On Fri, Aug 10, 2012 at 2:02 PM, Robert Rhodes rrhode...@gmail.com wrote: Hello everyone. I have a site where a password is required to access the site. On pages in the site, there are links to download files. I set the appropriate meta tags and robots.txt to tell the search engines to not spyder the site. Though the site pages are not in google, the files are showing up. that's bad. It's a lot of files, so before I code up a solution to access all the through logic so I can control the permissions, is there some way to protect a directory so that files can't be downloaded without being logged in on the site? My guess is the answer is no, but I thought I would ask. -RR ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352086 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: I guess it was bound to happen
I set the appropriate meta tags and robots.txt to tell the search engines to not spyder the site. Only well behaving bot will follow the robot.txt recommandations. There are also bad bots which don't care reading the file, and very bad bots which do read the file in the only purpose to request what you want to hide. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352089 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: I guess it was bound to happen
the problem with serving files using CF is that you are putting considerable extra load onto CF, as it has to load the load into memory and then serve it. If its a busy site serving lots of files then this may well overload your cfserver, especially if your on shared hosting. by using .htaccess as I said, you do not involve CF in the task at all. If you want to control permissions on other parts of your app as well, then this is also easy to achieve, as you can pass the login used from htaccess to CF and then use that for your role based security within your cf app as you already do. On Fri, Aug 10, 2012 at 8:07 PM, wrote: I set the appropriate meta tags and robots.txt to tell the search engines to not spyder the site. Only well behaving bot will follow the robot.txt recommandations. There are also bad bots which don't care reading the file, and very bad bots which do read the file in the only purpose to request what you want to hide. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352091 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: I guess it was bound to happen
simply put sensitive files outside the web root and have CF pull them as needed - no spider is going to index inaccessible files ;-) my 2 cents in the 20 seconds I thought about this HTH ;-) ...and I'm sure you'll get loads of other options - this one to me is simple and solid Cheers On Fri, 2012-08-10 at 14:02 -0400, Robert Rhodes wrote: Hello everyone. I have a site where a password is required to access the site. On pages in the site, there are links to download files. I set the appropriate meta tags and robots.txt to tell the search engines to not spyder the site. Though the site pages are not in google, the files are showing up. that's bad. It's a lot of files, so before I code up a solution to access all the through logic so I can control the permissions, is there some way to protect a directory so that files can't be downloaded without being logged in on the site? My guess is the answer is no, but I thought I would ask. -RR ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352094 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: I guess it was bound to happen
Yes, I am using CF for login security. Thanks to all for the suggestions. While I am considering the various suggestions, I renamed the directory and removed the insecure page that had links to the files (the client put this page up with he cms). I then changed all the links on the secure pages to the new directory name. That solves the problem now whileI work out a more permanent solution. Thanks again for the help. -RR On Fri, Aug 10, 2012 at 2:05 PM, Brian Thornton br...@cfdeveloper.comwrote: Are you using IIS security for login or CFM security? On Fri, Aug 10, 2012 at 1:02 PM, Robert Rhodes rrhode...@gmail.com wrote: Hello everyone. I have a site where a password is required to access the site. On pages in the site, there are links to download files. I set the appropriate meta tags and robots.txt to tell the search engines to not spyder the site. Though the site pages are not in google, the files are showing up. that's bad. It's a lot of files, so before I code up a solution to access all the through logic so I can control the permissions, is there some way to protect a directory so that files can't be downloaded without being logged in on the site? My guess is the answer is no, but I thought I would ask. -RR ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352102 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm