Protecting Files with Coldfusion & force downloads

Posted on 2006-03-28
Last Modified: 2013-12-20
There seems to be alot of information but no solid steps to this.
I have traffic coming in and being directed towards a central flash file. This flash file is a big resource with a lot of linked material. The flash file and every .cfm file is protected by code in the header and application pages. This leaves direct links to the files exposed.

My need is two fold and I believe they can both help each other.
1) If no one knows the name of the file.. they goto download the link.. I would like to hide the file location and force a save as dialog box
2) If someone should guess the path to the file and type it in directly - how to prevent those requests.

I had started playing around with forcing everyone to a FileDownload.cfm which is does some hiding and protected by the application code - but it still leaves files wide open.. I have something like so...
<cfset docN = URL.docN>
                  <cfset docD = URL.docD>
                  <cfcontent type="application/x-unknown">
                  <cfheader name="Content-Disposition" value="attachment;filename=#docN#">
                  <cfheader name="Content-Description" value="Resource file.">
                  <cflocation url="/#docD#/#docN#">

Any ideas?
Question by:jjayzin
    LVL 24

    Accepted Solution

    1) If no one knows the name of the file.. they goto download the link.. I would like to hide the file location and force a save as dialog box

    Lets use an example folder named "downloads". This is where your downloadable files are.
    This is just an example. cfdirectory outputs files in that directory - you can use a different query to give list of files.

    <cfdirectory action="list" directory="C:\Inetpub\wwwroot\downloads" name="files">
    <cfoutput query="files">
         <a href="">#name#</a><br>

    Then here is the new file getfile.cfm :
    <cfheader name="content-disposition" value="inline; filename=#filename#">                        
    <cfcontent type="application/unknown" file="C:\Inetpub\wwwroot\downloads\#filename#" deletefile="no">

    2) If someone should guess the path to the file and type it in directly - how to prevent those requests.

    You should put your folder outside of your website.
    Like C:\Inetpub\downloads (you'd then need to change your directory path in code above)
    This will prevent anyone from accessing via a browser.
    Also by opening windows explorer and right clicking on [downloads] and
    selecting properties and checking the hidden checkbox - click ok
    This will disallow users who can guess the path from getting the files by entering
    the path into their browser.
    You'd only need do this if downloads folder is within website - like if you can't move it outside webroot.

    Author Comment

    That's a great suggestion. I'm going to work through it now and see if I'm successful. It does ruin the directory structure I setup  to group content in specific folders.. but perhaps I'll use a variable to change download/ to download/Tutorials or download/Marketing etc.

    Any pitfalls to dynamically changing the directory in the list command?

    The only thing I am unsure of - or didn't realize is that getfile.cfm can reside anywhere but output a directory outside the website. I had no idea. I'm going to try that now. Thanks!


    Author Comment

    Okay... I've implemented this and gotten all my vars to pass from flash to my fileDownload.cfm using the header and content above but seem to have a problem...  when I'm opening a PDF - acrobat reader launches - doesn't ask for save or open dialogue box AND opens with a "temp" file name...

    Now - I pass a directory variable docD and a file name var - docN in any url string. When doing this with a zip file - the open / save as box pops up like most zips do AND the file name is kept in tact.

    Any ideas- was the code missing something I was supposed to add or is this going to be a problem with any Microsoft document (xls, ppt, doc) and PDF's ? ( And yes I will be dealing with all those types.

    My code is like so...

    <cfset docN = URL.docN>
    <cfset docD = URL.docD>
    <cfheader name="content-disposition" value="inline; filename=#docN#">                        
    <cfcontent type="application/unknown" file="e:\Inetpub\USA\downloads\#docD#\#docN#" deletefile="no">

    LVL 24

    Expert Comment

    The part of the problem where it launches without asking is because at some point you had unchecked the
    "always ask before opening this type of file" - This is a browser setting.
    I don't know off hand how to reset to default. Look around your browser.

    As for opening with a tmp ext ??? - is the "server" on your local development machine?

    Author Comment

    the server is not my development machine but I'm developing then loading everything up and testing in the final server environment.

    I load in xml into flash - then use flash interface to pass along doc information to my fileDownload.cfm
    There was not a break in that process otherwise I would have gotten file not found or a server error.

    I modified the code like so and so far it seems to work and correct the file name AND force the open/save as box. ( Which is inteteresting since I've seen contradicting info which forces that  "inline" or "attachment"

    My code is now
    <cfset docN = URL.docN>
    <cfset docD = URL.docD>
    <cfif Right(docN, 3) EQ "pdf">
                    <cfset apptype = "application/pdf">
    <cfelseif Right(docN, 3) EQ "zip">
          <cfset apptype = "application/zip">
          <cfset apptype = "application/unknown">
    <cfheader name="content-disposition" value="attachment; filename=#docN#">                        
     <cfcontent type="#apptype#; name=#docN#"  file="e:\Inetpub\myFolder\downloads\#docD#\#docN#" deletefile="no">

    I also assumed which we know is incorrect that the on both the "save" or "open" the window would close because that's how the "open" handles it. Is there another content tag to force the close when a user selects "save" - I didn't see any on Livedocs and that would just round this out - it would be nice and clean.

    As for the.tmp - I'm not sure if the new type="" mod or more the value="attachment" or the conditional mime types corrected that ( or if those conditional application types are even necessary)

    LVL 24

    Expert Comment

    Not that I know of - thats a browser thing also I believe

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Most ColdFusion developers get confused between the CFSet, Duplicate, and Structcopy methods of copying a Structure, especially which one to use when. This Article will explain the differences in the approaches with examples; therefore, after readin…
    Objective of This Article In 1990’s, when I was a budding software professional, I had a lot of confusion about which stream or technology, I had to choose to build my career. In those days, I had lot of confusion like whether to choose System so…
    The purpose of this video is to demonstrate how to insert an Iframe into WordPress. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: : Open Page or Post…
    The purpose of this video is to demonstrate how to integrate Mailchimp with WordPress, by placing a Mailchimp signup form on a WordPress Page or Post. This will be demonstrated using a Windows 8 PC. Mailchimp will be used. Log into your Mailchi…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now