Solved

Password protect a directory over the Web

Posted on 2008-06-13
3
805 Views
Last Modified: 2013-12-24
Hello,
I have a few links posted on the website and I'd like to password protect the folder where the users are pulling the downloads from these links.

I've tried:
.htaccess:

AuthUserFile mywebsite.com/downloads/.htpasswd
AuthGroupFile /dev/null
AuthName "Secure Document"
AuthType Basic

<LIMIT GET PUT POST>
require user someuser
</LIMIT>

and the .htpasswd file
htpasswd -c .htpasswd 123456

but it seems like this doesn't work on a Coldfusion server.

Basically when the users go to the website and they click on one of the download links I want them to be prompted for a username and password and is it possible to display a message on the pop up? say...if you need access to the files please contact John Smith.

Thanks!
0
Comment
Question by:HumanScaleDev
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 25

Accepted Solution

by:
dgrafx earned 400 total points
ID: 21785008
First off you can require that visitors who wish to download files must login
Upon successful login - you set a session.UserID
And if they come to download page before logging in they can still download files available to the public but need to create a default value for session.UserID
<cfif Not StructKeyExists(session,"UserID")>
      <cflock scope="session" type="exclusive" timeout="15">
            <cfset session.UserID=0>
      </cflock>
      or you can just send them to login page instead at this point
</cfif>
The table downloads referenced below holds info like file description and who has the right to download it.
create yourself a form where you can update and insert filenames & misc.
The column UserID datatype is nvarchar so you can add a list of userid's which may be numeric or varchar - make it the size of whatever you think you'll need. if potentially very large just make it nvarchar(max) (if sql 2005) or nvarchar(1000) (if sql 2000)
an example value for UserID (in your table below) might be 202,250,689 - this means these 3 users can download this file
or a value of 0 would mean that anyone can download this file.
important - the directory you set for filelocation needs to be outside the webrooot - otherwise someone who knows where the files are at can enter the url and get the file anyway - but they won't be able to get it through this feature if not authorized.
if you can't put the files in a folder that is outside the webroot then put them in a folder where you've removed read access.
This will prevent a browser from accessing the folder directly, but will still be able to download via the method described here.

table downloads
uid - int identity
filename - nvarchar(50)
descrip - nvarchar(max) or ntext if sql 2000
userid - nvarchar(max) or nvarchar(1000) if sql 2000

<cfset fileLocation="D:\web\webfiles\downloads\"> Set your file location here !
<CFDIRECTORY action="list" DIRECTORY="#fileLocation#" type="file" listinfo="name" name="files" sort="name">
      <cfif files.recordcount>
            keep in mind that you won't get any results below until you populate your table with some data
            <cfquery datasource="#Application.DSN#" name="getFiles">
            select UID,filename,Descrip
            from tblDownloads WITH (NOLOCK)
            where filename IN (#QuotedValueList(files.name)#)
            and
            (
                  (UserID = '0') -- a userid of 0 means this file is open to the public
                  or
                  (',' + UserID + ',' LIKE '%,#session.UserID#,%')            
            )
            </cfquery>
            There are <cfoutput>#getFiles.recordcount#</cfoutput> files available for download!<br>
            <CFoutput query="getFiles">      
            #Descrip#<br>            
            <a href="getdownload.cfm?getfile=#filename#&UID=#UID#">Download #filename#</a><br><br>
            </CFoutput>
      <cfelse>
            There are zero files available for download!
      </cfif>
      
      
      ------------------- the following is the file getdownload.cfm ------------------------


<cfif StructKeyExists(url,"UID")>      do protection validation
      <cfquery datasource="#Application.DSN#" name="getFiles">
      select UID,filename
      from tblDownloads WITH (NOLOCK)
            where UID = #url.UID#
            and
                  (
                        (UserID = '0') -- a userid of 0 means this file is open to the public
                        or
                        (',' + UserID + ',' LIKE '%,#session.UserID#,%')            
                  )
      </cfquery>
      <cfset fileLocation="D:\web\webfiles\downloads\"> Set your file location here !
      <cfheader name="Content-Disposition" value="attachment;filename=#getFiles.filename#">
      <cfoutput>
            <cfif fileexists("#fileLocation##getFiles.filename#")>
                  <cftry>
                  <cfcontent type="application/unknown" file="#fileLocation##getFiles.filename#" deletefile="no">
                  <cfcontent reset="yes">
                  <cfcatch>
                  <script>
                  alert("There was a problem downloading #getFiles.filename#\nPlease Contact Us")
                  </script>
                  </cfcatch>
                  </cftry>
            <cfelse>
                  <script>
                  alert("<cfif len(trim(getFiles.filename))>#getFiles.filename#<cfelse>That file</cfif> no longer exists\n\tPlease Contact Us")                  
                  </script>
            </cfif>
      </cfoutput>
</cfif><!--- UID --->
0
 

Expert Comment

by:philip3270
ID: 22495272
coldfusion runs as a seperate process, those commands work only on apache/linux.

Coldfusion cannot prevent direct folder access; as the web server "forks over" processing to CFML.
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question