Web File Security best practices for ColdFusion 8 in IIS6 or IIS7

Question

Lets say we have a web site with a CF app that was written in house.

assume that
Server 2003 IIS6 or 2008 IIS7 will be used
Coldfusion 8 will be used

Directory browsing is denied
SSL is required to connect
the account login process is secure (yeah I know that is a whole other ball of wax but that concept is discussed ad nauseum on the web).

say I have a file at https://domain.com/folder1/folder2/ with a name like picture92352.ext imagine it as a jpg or pdf or whatever. The entire path between the domain name and the file varies widely in naming structure, depth, etc. Files are not all lumped together in one folder.

The app restricts links by user such that a user would have to have access to that file to find it in the first place but as it stands now if a person knew the full URL to that file they could retrieve it without logging in to the app. It's the classic security by obscurity situation. A random person isn't likely to find a file they shouldn't get to but once someone is given access they know how to access it from another PC where their actions might not be traced back to them.

How do I restrict access to these files before someone logs in and still make them accessible to outside users after they log in? Is there a way to do it with permissions only or is the only answer to have code dynamically moving files around at the time of the request or is there some obvious step I'm not even thinking of?

Let me clarify this slightly. No matter how the file is presented on a page a user can use the browser IE, Firefox, etc to examine the URL the file comes from. If the image is a link there is always copy shortcut in the right click menu for IE and the same functionality in FF is called copy link location. If the image is displayed inline as part of the page an IE user can right click and choose properties to see the URL, in FF the same functionality is present to see properties but there is an even quicker more convenient option labeled copy image location. Once a user knows the URL to a file if the location or file name doesn't change they can use that URL without authenticating in the CF app.

If I change the NTFS/share permissions so that IUSR can't see the content then my CF app and IIS can't push it. What strategy do I use to provide the file in the CF app that doesn't leave this hole open?

Answer 1

You could write a CFM page that serves up the images. Then you just make sure they are authenticated inside the CFM.

<!-- something like this -->
http://localhost/GetFile.cfm?file=foobar.jpg

In GetFile.cfm, you would do something like:

<!-- the filename part is what the browser will pre-popualate the file name in the download dialog as -->
<CFHEADER name="Content-disposition" value="attachment;filename=picture92352.ext"> 
<CFCONTENT type="text/plain" file="\\fileserver\folder1\folder2\picture92352.ext">

Take a look at the various MIME types.

If you wanted to do something similar but keep a more natural URL, I think you would need to leverage the Java servlet underpinnings of ColdFusion to create a handler for any URL matching a certain pattern.