Solved

Password protect a directory over the Web

Posted on 2008-06-13
3
800 Views
Last Modified: 2013-12-24
Hello,
I have a few links posted on the website and I'd like to password protect the folder where the users are pulling the downloads from these links.

I've tried:
.htaccess:

AuthUserFile mywebsite.com/downloads/.htpasswd
AuthGroupFile /dev/null
AuthName "Secure Document"
AuthType Basic

<LIMIT GET PUT POST>
require user someuser
</LIMIT>

and the .htpasswd file
htpasswd -c .htpasswd 123456

but it seems like this doesn't work on a Coldfusion server.

Basically when the users go to the website and they click on one of the download links I want them to be prompted for a username and password and is it possible to display a message on the pop up? say...if you need access to the files please contact John Smith.

Thanks!
0
Comment
Question by:HumanScaleDev
3 Comments
 
LVL 24

Accepted Solution

by:
dgrafx earned 400 total points
Comment Utility
First off you can require that visitors who wish to download files must login
Upon successful login - you set a session.UserID
And if they come to download page before logging in they can still download files available to the public but need to create a default value for session.UserID
<cfif Not StructKeyExists(session,"UserID")>
      <cflock scope="session" type="exclusive" timeout="15">
            <cfset session.UserID=0>
      </cflock>
      or you can just send them to login page instead at this point
</cfif>
The table downloads referenced below holds info like file description and who has the right to download it.
create yourself a form where you can update and insert filenames & misc.
The column UserID datatype is nvarchar so you can add a list of userid's which may be numeric or varchar - make it the size of whatever you think you'll need. if potentially very large just make it nvarchar(max) (if sql 2005) or nvarchar(1000) (if sql 2000)
an example value for UserID (in your table below) might be 202,250,689 - this means these 3 users can download this file
or a value of 0 would mean that anyone can download this file.
important - the directory you set for filelocation needs to be outside the webrooot - otherwise someone who knows where the files are at can enter the url and get the file anyway - but they won't be able to get it through this feature if not authorized.
if you can't put the files in a folder that is outside the webroot then put them in a folder where you've removed read access.
This will prevent a browser from accessing the folder directly, but will still be able to download via the method described here.

table downloads
uid - int identity
filename - nvarchar(50)
descrip - nvarchar(max) or ntext if sql 2000
userid - nvarchar(max) or nvarchar(1000) if sql 2000

<cfset fileLocation="D:\web\webfiles\downloads\"> Set your file location here !
<CFDIRECTORY action="list" DIRECTORY="#fileLocation#" type="file" listinfo="name" name="files" sort="name">
      <cfif files.recordcount>
            keep in mind that you won't get any results below until you populate your table with some data
            <cfquery datasource="#Application.DSN#" name="getFiles">
            select UID,filename,Descrip
            from tblDownloads WITH (NOLOCK)
            where filename IN (#QuotedValueList(files.name)#)
            and
            (
                  (UserID = '0') -- a userid of 0 means this file is open to the public
                  or
                  (',' + UserID + ',' LIKE '%,#session.UserID#,%')            
            )
            </cfquery>
            There are <cfoutput>#getFiles.recordcount#</cfoutput> files available for download!<br>
            <CFoutput query="getFiles">      
            #Descrip#<br>            
            <a href="getdownload.cfm?getfile=#filename#&UID=#UID#">Download #filename#</a><br><br>
            </CFoutput>
      <cfelse>
            There are zero files available for download!
      </cfif>
      
      
      ------------------- the following is the file getdownload.cfm ------------------------


<cfif StructKeyExists(url,"UID")>      do protection validation
      <cfquery datasource="#Application.DSN#" name="getFiles">
      select UID,filename
      from tblDownloads WITH (NOLOCK)
            where UID = #url.UID#
            and
                  (
                        (UserID = '0') -- a userid of 0 means this file is open to the public
                        or
                        (',' + UserID + ',' LIKE '%,#session.UserID#,%')            
                  )
      </cfquery>
      <cfset fileLocation="D:\web\webfiles\downloads\"> Set your file location here !
      <cfheader name="Content-Disposition" value="attachment;filename=#getFiles.filename#">
      <cfoutput>
            <cfif fileexists("#fileLocation##getFiles.filename#")>
                  <cftry>
                  <cfcontent type="application/unknown" file="#fileLocation##getFiles.filename#" deletefile="no">
                  <cfcontent reset="yes">
                  <cfcatch>
                  <script>
                  alert("There was a problem downloading #getFiles.filename#\nPlease Contact Us")
                  </script>
                  </cfcatch>
                  </cftry>
            <cfelse>
                  <script>
                  alert("<cfif len(trim(getFiles.filename))>#getFiles.filename#<cfelse>That file</cfif> no longer exists\n\tPlease Contact Us")                  
                  </script>
            </cfif>
      </cfoutput>
</cfif><!--- UID --->
0
 

Expert Comment

by:philip3270
Comment Utility
coldfusion runs as a seperate process, those commands work only on apache/linux.

Coldfusion cannot prevent direct folder access; as the web server "forks over" processing to CFML.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now