Secure redirection

Yesterday I found what I thought to be an interesting solution to a problem that sometimes have.  On occasion we have directories of html files in our medical websites that we need to keep ‘protected’ behind a log in.  Usually these are eLearning websites and have additional pieces that are protected via coldfusion login, so rather than having to create multiple windows users on the server and then having to deal with permissions issues, I prefer to come up with a good programmable solution utilizing the user database we have to create anyway.  The solution I ran across yesterday was a simple redirect on IIS7.

In IIS7, there has been a change to how the web server deals with serving sites.  When there is a redirect added, a new file is put into the directorywhich is an XML based configuration file called web.config.  I am sure this file has more fun things that can be done with it, but for my current purposes, I only needed to deal with the httpredirect tag.  If you create a redirect within the IIS7 GUI your file will look something like this:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpRedirect enabled="true" destination="http://my.website.com" httpResponseStatus="Permanent" />
</system.webServer>
</configuration>

But in this case, I wanted to use file based redirects, that basically tell the system to only redirect on html files. So we add a line for the html wildcard and remove the destination from the httpRedirect:

<httpRedirect enabled="true"  exactDestination="true" httpResponseStatus="Permanent">
<add wildcard="*.html" destination="http://my.website.com/protecthtml/index.cfm?id=$V" />
</httpRedirect>

The $V variable passes through the folder and file name.  So when I create my index.cfm page, I simply have to cfinclude the url.id field.  Of course it’s important to test the file first to make sure that it exists, and that it’s just an html file and someone isn’t trying to view a config file or some such.  All links then can be built just like a standard html site, just that they will redirect where necessary automatically.