[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Password protect a directory over the Web

Posted on 2008-06-13
3
Medium Priority
?
810 Views
Last Modified: 2013-12-24
Hello,
I have a few links posted on the website and I'd like to password protect the folder where the users are pulling the downloads from these links.

I've tried:
.htaccess:

AuthUserFile mywebsite.com/downloads/.htpasswd
AuthGroupFile /dev/null
AuthName "Secure Document"
AuthType Basic

<LIMIT GET PUT POST>
require user someuser
</LIMIT>

and the .htpasswd file
htpasswd -c .htpasswd 123456

but it seems like this doesn't work on a Coldfusion server.

Basically when the users go to the website and they click on one of the download links I want them to be prompted for a username and password and is it possible to display a message on the pop up? say...if you need access to the files please contact John Smith.

Thanks!
0
Comment
Question by:HumanScaleDev
2 Comments
 
LVL 25

Accepted Solution

by:
dgrafx earned 1600 total points
ID: 21785008
First off you can require that visitors who wish to download files must login
Upon successful login - you set a session.UserID
And if they come to download page before logging in they can still download files available to the public but need to create a default value for session.UserID
<cfif Not StructKeyExists(session,"UserID")>
      <cflock scope="session" type="exclusive" timeout="15">
            <cfset session.UserID=0>
      </cflock>
      or you can just send them to login page instead at this point
</cfif>
The table downloads referenced below holds info like file description and who has the right to download it.
create yourself a form where you can update and insert filenames & misc.
The column UserID datatype is nvarchar so you can add a list of userid's which may be numeric or varchar - make it the size of whatever you think you'll need. if potentially very large just make it nvarchar(max) (if sql 2005) or nvarchar(1000) (if sql 2000)
an example value for UserID (in your table below) might be 202,250,689 - this means these 3 users can download this file
or a value of 0 would mean that anyone can download this file.
important - the directory you set for filelocation needs to be outside the webrooot - otherwise someone who knows where the files are at can enter the url and get the file anyway - but they won't be able to get it through this feature if not authorized.
if you can't put the files in a folder that is outside the webroot then put them in a folder where you've removed read access.
This will prevent a browser from accessing the folder directly, but will still be able to download via the method described here.

table downloads
uid - int identity
filename - nvarchar(50)
descrip - nvarchar(max) or ntext if sql 2000
userid - nvarchar(max) or nvarchar(1000) if sql 2000

<cfset fileLocation="D:\web\webfiles\downloads\"> Set your file location here !
<CFDIRECTORY action="list" DIRECTORY="#fileLocation#" type="file" listinfo="name" name="files" sort="name">
      <cfif files.recordcount>
            keep in mind that you won't get any results below until you populate your table with some data
            <cfquery datasource="#Application.DSN#" name="getFiles">
            select UID,filename,Descrip
            from tblDownloads WITH (NOLOCK)
            where filename IN (#QuotedValueList(files.name)#)
            and
            (
                  (UserID = '0') -- a userid of 0 means this file is open to the public
                  or
                  (',' + UserID + ',' LIKE '%,#session.UserID#,%')            
            )
            </cfquery>
            There are <cfoutput>#getFiles.recordcount#</cfoutput> files available for download!<br>
            <CFoutput query="getFiles">      
            #Descrip#<br>            
            <a href="getdownload.cfm?getfile=#filename#&UID=#UID#">Download #filename#</a><br><br>
            </CFoutput>
      <cfelse>
            There are zero files available for download!
      </cfif>
      
      
      ------------------- the following is the file getdownload.cfm ------------------------


<cfif StructKeyExists(url,"UID")>      do protection validation
      <cfquery datasource="#Application.DSN#" name="getFiles">
      select UID,filename
      from tblDownloads WITH (NOLOCK)
            where UID = #url.UID#
            and
                  (
                        (UserID = '0') -- a userid of 0 means this file is open to the public
                        or
                        (',' + UserID + ',' LIKE '%,#session.UserID#,%')            
                  )
      </cfquery>
      <cfset fileLocation="D:\web\webfiles\downloads\"> Set your file location here !
      <cfheader name="Content-Disposition" value="attachment;filename=#getFiles.filename#">
      <cfoutput>
            <cfif fileexists("#fileLocation##getFiles.filename#")>
                  <cftry>
                  <cfcontent type="application/unknown" file="#fileLocation##getFiles.filename#" deletefile="no">
                  <cfcontent reset="yes">
                  <cfcatch>
                  <script>
                  alert("There was a problem downloading #getFiles.filename#\nPlease Contact Us")
                  </script>
                  </cfcatch>
                  </cftry>
            <cfelse>
                  <script>
                  alert("<cfif len(trim(getFiles.filename))>#getFiles.filename#<cfelse>That file</cfif> no longer exists\n\tPlease Contact Us")                  
                  </script>
            </cfif>
      </cfoutput>
</cfif><!--- UID --->
0
 

Expert Comment

by:philip3270
ID: 22495272
coldfusion runs as a seperate process, those commands work only on apache/linux.

Coldfusion cannot prevent direct folder access; as the web server "forks over" processing to CFML.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question