I guess it was bound to happen

Hello everyone. I have a site where a password is required to access the site.  On pages in the site, there are links to download files.  I set the appropriate meta tags and robots.txt to tell the search engines to not spyder the site. Though the site pages are not in google, the files are showing up.  that's bad. It's a lot of files, so before I code up a solution to access all the through logic so I can control the permissions, is there some way to protect a directory so that files can't be downloaded without being logged in on the site? My guess is the answer is no, but I thought I would ask. -RR

Are you using IIS security for login or CFM security? ----- Excess quoted text cut - see Original Post for more -----

Yes, I am using CF for login security. Thanks to all for the suggestions.  While I am considering the various suggestions, I renamed the directory and removed the insecure page that had links to the files (the client put this page up with he cms).  I then changed all the links on the secure pages to the new directory name.  That solves the problem now whileI  work out a more permanent solution. Thanks again for the help. -RR On Fri, Aug 10, 2012 at 2:05 PM, Brian Thornton <Brian@cfdeveloper.com>wrote: ----- Excess quoted text cut - see Original Post for more -----

CF can only protect CF files if they web accessible. If you request a PDF file for example, CF is never involve din this process. The best solution is to use server side security to password protect folder and not CF. If you are on APACHE then simply use .htaccess for this. If you are on windows/IIS then take a look at Helicon APE ----- Excess quoted text cut - see Original Post for more -----

The only way to reliably do this is to make it so the files' directory is not accessible via HTTP. The two most common ways to do this are: - put directory above / outside the webroot - tell IIS / Apache / webserver to disregard directory (if it's under / inside webroot) ...and then retrieve / serve files using CFML tags: http://ray.camdenfamily.com/index.cfm/2006/3/10/Ask-a-Jedi-Using-ColdFusion-to-serve-files ----- Excess quoted text cut - see Original Post for more -----

+1 what John said, I was just going to send the same link =] ----- Excess quoted text cut - see Original Post for more -----

>> I set the appropriate meta tags and robots.txt to tell the search engines to not spyder the site. Only well behaving bot will follow the robot.txt recommandations. There are also bad bots which don't care reading the file, and very bad bots which do read the file in the only purpose to request what you want to hide.

the problem with serving files using CF is that you are putting considerable extra load onto CF, as it has to load the load into memory and then serve it. If its a busy site serving lots of files then this may well overload your cfserver, especially if your on shared hosting. by using .htaccess as I said, you do not involve CF in the task at all. If you want to control permissions on other parts of your app as well, then this is also easy to achieve, as you can pass the login used from htaccess to CF and then use that for your role based security within your cf app as you already do. On Fri, Aug 10, 2012 at 8:07 PM, <> wrote: ----- Excess quoted text cut - see Original Post for more -----

simply put sensitive files outside the web root and have CF pull them as needed - no spider is going to index inaccessible files ;-) my 2 cents in the 20 seconds I thought about this HTH ;-) ...and I'm sure you'll get loads of other options - this one to me is simple and solid Cheers On Fri, 2012-08-10 at 14:02 -0400, Robert Rhodes wrote: ----- Excess quoted text cut - see Original Post for more -----