Question : Using cfheader and cfcontent to obfuscate download path.

I have inherited a file repository application that I'd like to secure a bit.

Currently, when a user wants to download a file, the path to the file is exposed in the URL.

I should note that we are in a shared hosting environment, and no space outside the web root.

In any case, after doing a bit of reading, I thought I'd be able to use something like:

1:	<a href="get_file.cfm?#urlEncodedFormat(CFusion_Encrypt(myPath, myKey))#">

Where myPath is the relative path to the file from the calling page.

Get_file.cfm code is below which fails with a 404 to the ENCRYPTED URL, even though I can dump vars to confirm I'm getting the decoded/decrypted path and file info.

What am I doing wrong?

TIA!

1: 2: 3: 4: 5: 6: 7:

<cfset ePath = CGI.QUERY_STRING /> <cfset oPath = URLDecode(CFusion_Decrypt(ePath, Session.UserName)) /> <cfset f = Right(oPath, Len(oPath) - Find("/", oPath, Find("/", oPath) + 1)) /> <cfheader name="Content-Disposition" value="attachment; filename=#f#" /> <cfcontent type="application/unknown" file="#oPath#" />

Answer : Using cfheader and cfcontent to obfuscate download path.

If you can Link the folder, then you can use a MakeTable query to localize that. For example, if I Link an Outlook folder named "MyOutLookFolder", and I then want to make that into a permanant, local table, I can do this:

Currentdb.Execute "SELECT * INTO MyNewTable FROM MyOutLookFolder"