I'm trying to put together a customer support area where users can log in and download product manuals for products they've purchased. I can restrict page access just fine using the built-in CFMX security framework, but I can't figure out how to restrict access to the .pdf file for the manual itself. The O'Reilly "Programming ColdFusion MX" book says to place the file in a directory outside of your web server directory and then build a restricted CF template that uses CFCONTENT to grab the file. I tried this and our engineers hacked it in 5 minutes - if you know the filename of the manual that you're looking for (or guess if correctly) you can simply pass that to the CF template in the URL and presto...you have access to a manual you aren't supposed to be seeing. Securing file access seems like something that should be basic, but it's not covered in Forta's "Web Application Construction Kit" and the O'Reilly method isn't secure. Can't seem to find any online resources either. Any advice would be greatly appreciated, thanks!

If the filename is obscure enough to prevent casual guessing, wouldn't that make it an effective solution? Then only those that have already been to the site would be able to find it. And, to prevent accidental access by a webcrawling spider, you could add a simply login/password to the pages?

Unfortunately the file names can't be obscure. I did solve the problem however - instead of using a hyperlink to link to the display.cfm template that calls cfcontent, I used a form w/ hidden variables and a submit button. Seems to work, a had a couple of our software engineers try to get around it and they couldn't.

Citizen or anyone else..., may i ask how you managed to setup a folder outside of your webroot? Did you have to get a HMS rep to set one up for you...or is there something I am missing?...

Just curious as I have looked into this in the past too, just not hard enough. I would like to place my databases/ important files inside an external folder like you mention.

Thanks for the info.

you don't necessarily need a folder outside of the webroot... what you do need is to remove READ access from that folder thru the IIS mmc console. HOWEVER, when you request this you want to make sure they're not removing read access from any of the NT user permissions. Make sure they remove READ from the specified directory thru IIS mmc console.

That'll do ya just the same, and you'll still have full FTP access and you'll even be able to use things like ASP/ASP.NET's Server.MapPath() to dynamically create the path. That will keep you from having to recode anything if you ever move (site move to different server, different host, whatever)

A second option is that if you wish to have space in your websites folder that is not accessible directly from the web you can place all of your existing web content in a subfolder and we can repoint IIS to the subfolder. By this I mean:

You currently have c:\websites\abcde which contains 20 files. IIS points the home directory to c:\websites\abcde.

You could create a directory c:\websites\abcde\www\ and move the 20 files into this directory. We then have IIS point the home directory to c:\websites\abcde\www\. Your FTP user still has full access to c:\websites\abcde.

I hope the above makes sense. If you are interested in something like this you can contact support. This configuration is similar to how our Linux hosting accounts are configured.