How can access be restricted to a directory (CF and IIS 7)

Posted on 2013-09-09
Medium Priority
Last Modified: 2013-09-17
I'm trying solve a problem on  CF/IIS 7 site that I admin but I didn't write.
I am running the site in two locations, on is production and the other is a test server. On production the problem with IE 10 below does not exist, which is good!  But I need to test something on the test system and I can't until I am able to log into the test system using IE 10.

The site has a root directory  (www)
and an admin directory (www/admin)

Access to the admin directory is restricted unless you login successfully. The login function works correctly on every browser I have tested except IE 10. If I try to login using IE 10, the site just stays on the login page and the username/pw disappear from the input boxes.

I have looked over the code thoroughly. The problem comes at this bit of code:

<cfif not isDefined("session.urlForward") OR session.urlForward eq "" OR session.urlForward contains "/admin/login.cfm">
<!--- in IE 10 the session.urlForward var is not defined here. In Firefox it is --->
<cfset urlForward = "index.cfm" />
<!--- Firefox winds up here --->
<cfset urlForward = session.urlForward />
<cflocation url="#urlForward#" addtoken="false" />

If I am using IE 10, the session.urlForward var is not defined.
If I am using FF, the session.urlForward  var IS defined and I wind up in the else and I log in successfully. The login creds for both IE 10 and FF are showing up correctly.

If I create a very basic  file (test.cfm) in  www/admin, I can't view the file unless I log in.

So, the point I am at now is to figure out what is causing the admin directory to be restricte. I have posted this problem a few days back but since then my questions are different (and obviously it's still not solved)

What is the method one would use to restrict a directory in this situation - is it a function in IIS 7 or is it a ColdFusion thing? or something else? I'm trying to backtrack to see why this is working on my production server but not my test server.

I have many other directories under www that have have no problem accessing without a login. How did the initial developer restrict access to www/admin?

Question by:nachtmsk
LVL 25

Expert Comment

ID: 39479697
Do you have access to CF Administrator?
If so check the box next to use J2EE sessions

Also check IE's cookie restrictions - remember that CF uses cookies to manage sessions.
LVL 11

Expert Comment

by:Sanjay Santoki
ID: 39480252

Please try to add website in trusted website list as well as make sure required add-on are installed.. ie. JVM, flash

Also, try to enable compatibility mode on IE.

Sanjay Santoki

Accepted Solution

reiters earned 2000 total points
ID: 39487612
Here is what I use to restrict directories using pure CF.

		<cfif findnocase('manage/',cgi.script_name,1)>
			<cfif _session.admin eq 0>
				<cfset reqData = getHTTPRequestData()>
				<cfif structKeyExists(reqData.headers,"X-Requested-With") and reqData.headers["X-Requested-With"] eq "XMLHttpRequest">
					<!--- ajax loaded page --->
					<script type="text/javascript">
						document.location = '/loginadmin.cfm';
					<!--- not ajax loaded page --->
					<cflocation url="/loginadmin.cfm" />

Open in new window

Ignore the _session part.  I created my own session management that is load balancer friendly and performs very well.  The code works when you have ajax windows too.  To begin with I had issue of their session timing out and then they click a link on the screen and getting the login on a tiny popup div.  This code knows the difference between a ajax window and regular page load and forwards to the login properly.

Author Closing Comment

ID: 39499575
Thanks everyone.
The solution was for me to rebuild my test env from scratch. I had tested a lot of things on that test server and something was messing it up. once I rebuilt the server (two two days), everything worked as it should. that being said, I thought reiters solution was useful on it's own. Thanks again,

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question