Application.cfm and non *.cfm files

[nero]

Hi all

I've hit a wall with this one:

My understanding is that application.cfm will only secure *.cfm files.

If I have users uploading word doc's or pdf's into the application root they will be open to access via an absolute url without any cf challenge, right?

I'm trying to figure out how to lock these files down.

<cfcontent> to the files outside the application root was an option, but as this application will run from an SSL server, I hear there could be problems.

I tried advanced security and it wouldn't lock down these files, even if I specified *.doc for example.

I would like to avoid NT security on this one if possible, due to the number of seperate accounts which need to be created.

Any ideas?

Cheers

Nero

 

[GunJack]

Hey Nero,

Is it possible to protect the files by hiding their path? If so, you can have CF return the files through the <cfcontent> tag if they are authenticated. If not, I don't see any real efficient way to do what you need. There are some ways that might work but I would consider them more of a &quot;hack&quot; than a real solution.

GJ

 

[nero]

Thanks GunJack

I've have heard problems using <cfcontent> and SSL together. Have you, or anyone else heard of this?

Thanks for your help

Nero

 

[GunJack]

Hey nero,

I have never heard of any specific problems with it and I have some clients who use the tag regularly.

GJ

 

[nero]

GunJack

A collegue of mine tried it under SSL and what was returned was a type binary contents of the file. I suppose this makes sense considering encryption etc.

I'll try and replicate the error and see what I find.


Thanks for your time.

Nero