How can access be restricted to a directory (CF and IIS 7)

Hi,
I'm trying solve a problem on  CF/IIS 7 site that I admin but I didn't write.
I am running the site in two locations, on is production and the other is a test server. On production the problem with IE 10 below does not exist, which is good!  But I need to test something on the test system and I can't until I am able to log into the test system using IE 10.

The site has a root directory  (www)
and an admin directory (www/admin)

Access to the admin directory is restricted unless you login successfully. The login function works correctly on every browser I have tested except IE 10. If I try to login using IE 10, the site just stays on the login page and the username/pw disappear from the input boxes.


I have looked over the code thoroughly. The problem comes at this bit of code:

<cfif not isDefined("session.urlForward") OR session.urlForward eq "" OR session.urlForward contains "/admin/login.cfm">
<!--- in IE 10 the session.urlForward var is not defined here. In Firefox it is --->
<cfset urlForward = "index.cfm" />
<cfelse>
<!--- Firefox winds up here --->
<cfset urlForward = session.urlForward />
</cfif>      
<cflocation url="#urlForward#" addtoken="false" />


If I am using IE 10, the session.urlForward var is not defined.
If I am using FF, the session.urlForward  var IS defined and I wind up in the else and I log in successfully. The login creds for both IE 10 and FF are showing up correctly.

If I create a very basic  file (test.cfm) in  www/admin, I can't view the file unless I log in.


So, the point I am at now is to figure out what is causing the admin directory to be restricte. I have posted this problem a few days back but since then my questions are different (and obviously it's still not solved)

What is the method one would use to restrict a directory in this situation - is it a function in IIS 7 or is it a ColdFusion thing? or something else? I'm trying to backtrack to see why this is working on my production server but not my test server.

I have many other directories under www that have have no problem accessing without a login. How did the initial developer restrict access to www/admin?

Thanks!
Nacht
LVL 1
nachtmskAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dgrafxCommented:
Do you have access to CF Administrator?
If so check the box next to use J2EE sessions

Also check IE's cookie restrictions - remember that CF uses cookies to manage sessions.
0
Sanjay SantokiCommented:
Hello,

Please try to add website in trusted website list as well as make sure required add-on are installed.. ie. JVM, flash

Also, try to enable compatibility mode on IE.

Regards,
Sanjay Santoki
0
reitersCommented:
Here is what I use to restrict directories using pure CF.

		<cfif findnocase('manage/',cgi.script_name,1)>
			<cfif _session.admin eq 0>
				<cfset reqData = getHTTPRequestData()>
				<cfif structKeyExists(reqData.headers,"X-Requested-With") and reqData.headers["X-Requested-With"] eq "XMLHttpRequest">
					<!--- ajax loaded page --->
					<script type="text/javascript">
						document.location = '/loginadmin.cfm';
					</script>
					<cfabort>
				<cfelse>
					<!--- not ajax loaded page --->
					<cflocation url="/loginadmin.cfm" />
					<cfabort>
				</cfif>
			</cfif>
		</cfif>

Open in new window


Ignore the _session part.  I created my own session management that is load balancer friendly and performs very well.  The code works when you have ajax windows too.  To begin with I had issue of their session timing out and then they click a link on the screen and getting the login on a tiny popup div.  This code knows the difference between a ajax window and regular page load and forwards to the login properly.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nachtmskAuthor Commented:
Thanks everyone.
The solution was for me to rebuild my test env from scratch. I had tested a lot of things on that test server and something was messing it up. once I rebuilt the server (two two days), everything worked as it should. that being said, I thought reiters solution was useful on it's own. Thanks again,
Nacht
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ColdFusion Language

From novice to tech pro — start learning today.