Protecting Files with Coldfusion & force downloads

There seems to be alot of information but no solid steps to this.
I have traffic coming in and being directed towards a central flash file. This flash file is a big resource with a lot of linked material. The flash file and every .cfm file is protected by code in the header and application pages. This leaves direct links to the files exposed.

My need is two fold and I believe they can both help each other.
1) If no one knows the name of the file.. they goto download the link.. I would like to hide the file location and force a save as dialog box
2) If someone should guess the path to the file and type it in directly - how to prevent those requests.

I had started playing around with forcing everyone to a FileDownload.cfm which is does some hiding and protected by the application code - but it still leaves files wide open.. I have something like so...
<cfset docN = URL.docN>
                  <cfset docD = URL.docD>
                  <cfcontent type="application/x-unknown">
                  <cfheader name="Content-Disposition" value="attachment;filename=#docN#">
                  <cfheader name="Content-Description" value="Resource file.">
                  <cflocation url="/#docD#/#docN#">

Any ideas?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

1) If no one knows the name of the file.. they goto download the link.. I would like to hide the file location and force a save as dialog box

Lets use an example folder named "downloads". This is where your downloadable files are.
This is just an example. cfdirectory outputs files in that directory - you can use a different query to give list of files.

<cfdirectory action="list" directory="C:\Inetpub\wwwroot\downloads" name="files">
<cfoutput query="files">
     <a href="">#name#</a><br>

Then here is the new file getfile.cfm :
<cfheader name="content-disposition" value="inline; filename=#filename#">                        
<cfcontent type="application/unknown" file="C:\Inetpub\wwwroot\downloads\#filename#" deletefile="no">

2) If someone should guess the path to the file and type it in directly - how to prevent those requests.

You should put your folder outside of your website.
Like C:\Inetpub\downloads (you'd then need to change your directory path in code above)
This will prevent anyone from accessing via a browser.
Also by opening windows explorer and right clicking on [downloads] and
selecting properties and checking the hidden checkbox - click ok
This will disallow users who can guess the path from getting the files by entering
the path into their browser.
You'd only need do this if downloads folder is within website - like if you can't move it outside webroot.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jjayzinAuthor Commented:
That's a great suggestion. I'm going to work through it now and see if I'm successful. It does ruin the directory structure I setup  to group content in specific folders.. but perhaps I'll use a variable to change download/ to download/Tutorials or download/Marketing etc.

Any pitfalls to dynamically changing the directory in the list command?

The only thing I am unsure of - or didn't realize is that getfile.cfm can reside anywhere but output a directory outside the website. I had no idea. I'm going to try that now. Thanks!

jjayzinAuthor Commented:
Okay... I've implemented this and gotten all my vars to pass from flash to my fileDownload.cfm using the header and content above but seem to have a problem...  when I'm opening a PDF - acrobat reader launches - doesn't ask for save or open dialogue box AND opens with a "temp" file name...

Now - I pass a directory variable docD and a file name var - docN in any url string. When doing this with a zip file - the open / save as box pops up like most zips do AND the file name is kept in tact.

Any ideas- was the code missing something I was supposed to add or is this going to be a problem with any Microsoft document (xls, ppt, doc) and PDF's ? ( And yes I will be dealing with all those types.

My code is like so...

<cfset docN = URL.docN>
<cfset docD = URL.docD>
<cfheader name="content-disposition" value="inline; filename=#docN#">                        
<cfcontent type="application/unknown" file="e:\Inetpub\USA\downloads\#docD#\#docN#" deletefile="no">

IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

The part of the problem where it launches without asking is because at some point you had unchecked the
"always ask before opening this type of file" - This is a browser setting.
I don't know off hand how to reset to default. Look around your browser.

As for opening with a tmp ext ??? - is the "server" on your local development machine?
jjayzinAuthor Commented:
the server is not my development machine but I'm developing then loading everything up and testing in the final server environment.

I load in xml into flash - then use flash interface to pass along doc information to my fileDownload.cfm
There was not a break in that process otherwise I would have gotten file not found or a server error.

I modified the code like so and so far it seems to work and correct the file name AND force the open/save as box. ( Which is inteteresting since I've seen contradicting info which forces that  "inline" or "attachment"

My code is now
<cfset docN = URL.docN>
<cfset docD = URL.docD>
<cfif Right(docN, 3) EQ "pdf">
                <cfset apptype = "application/pdf">
<cfelseif Right(docN, 3) EQ "zip">
      <cfset apptype = "application/zip">
      <cfset apptype = "application/unknown">
<cfheader name="content-disposition" value="attachment; filename=#docN#">                        
 <cfcontent type="#apptype#; name=#docN#"  file="e:\Inetpub\myFolder\downloads\#docD#\#docN#" deletefile="no">

I also assumed which we know is incorrect that the on both the "save" or "open" the window would close because that's how the "open" handles it. Is there another content tag to force the close when a user selects "save" - I didn't see any on Livedocs and that would just round this out - it would be nice and clean.

As for the.tmp - I'm not sure if the new type="" mod or more the value="attachment" or the conditional mime types corrected that ( or if those conditional application types are even necessary)

Not that I know of - thats a browser thing also I believe
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Servers

From novice to tech pro — start learning today.