How can access be restricted to a directory (CF and IIS 7)
Posted on 2013-09-09
I'm trying solve a problem on CF/IIS 7 site that I admin but I didn't write.
I am running the site in two locations, on is production and the other is a test server. On production the problem with IE 10 below does not exist, which is good! But I need to test something on the test system and I can't until I am able to log into the test system using IE 10.
The site has a root directory (www)
and an admin directory (www/admin)
Access to the admin directory is restricted unless you login successfully. The login function works correctly on every browser I have tested except IE 10. If I try to login using IE 10, the site just stays on the login page and the username/pw disappear from the input boxes.
I have looked over the code thoroughly. The problem comes at this bit of code:
<cfif not isDefined("session.urlForward") OR session.urlForward eq "" OR session.urlForward contains "/admin/login.cfm">
<!--- in IE 10 the session.urlForward var is not defined here. In Firefox it is --->
<cfset urlForward = "index.cfm" />
<!--- Firefox winds up here --->
<cfset urlForward = session.urlForward />
<cflocation url="#urlForward#" addtoken="false" />
If I am using IE 10, the session.urlForward var is not defined.
If I am using FF, the session.urlForward var IS defined and I wind up in the else and I log in successfully. The login creds for both IE 10 and FF are showing up correctly.
If I create a very basic file (test.cfm) in www/admin, I can't view the file unless I log in.
So, the point I am at now is to figure out what is causing the admin directory to be restricte. I have posted this problem a few days back but since then my questions are different (and obviously it's still not solved)
What is the method one would use to restrict a directory in this situation - is it a function in IIS 7 or is it a ColdFusion thing? or something else? I'm trying to backtrack to see why this is working on my production server but not my test server.
I have many other directories under www that have have no problem accessing without a login. How did the initial developer restrict access to www/admin?