Many of us have used the CFCONTENT tag that comes with ColdFusion to serve up files to browsers, but very few ColdFusion developers are aware that the CFCONTENT tag can be used in conjunction with the HTML <IMG> tag to serve up graphics, such as JPEGs and GIFs. In this case, the why of doing this is perhaps just as interesting as the how.

It turns out that using this technique is perfect for use with creating an advertising banner server, controlling access to graphic files, or - on the more sinister side - creating "Web bugs."

If you don't recall, a Web bug is a graphic (usually an invisible 1 pixel shim) that is embedded in an HTML e-mail message or Word document that tips off its creator when and who is reading without readers even knowing their access was logged.

If you've never used the CFCONTENT tag before, it's an excellent tool to become familiar with. In layman's terms, CFCONTENT tells a Web browser that it's about to receive a non-HTML file, and then sends it to the browser. It does this by allowing you to specify a MIME type and a filename to send to the browser. So a ColdFusion template name can be put in place of a JPEG or GIF file, like so:

<IMG SRC="http://www.myserver.com/
images/send_graphic.cfm">

The ColdFusion template "sendgraphic.cfm" will contain a CFCONTENT tag that specifies "image/gif" for the MIME type and is pointed at the name of an actual .GIF file. The kicker is that you can also include code that logs the access to the file to a database table or does just about anything else ColdFusion can do. This is where privacy advocates get upset.

If logging access isn't bad enough, your send_graphic.cfm file could also use CFCOOKIE to set a cookie on the viewer's machine. In turn you could later check for the cookie when the user visits your Web site. If the cookie is there, then you could infer that the person viewed the e-mail, and then decided to visit the Web site. And that's just the beginning of the worst of the possibilities.

A more common use of CFCONTENT in this way is to serve graphics for a banner server-type application. The logistics and possibilities are about the same as for a Web bug. The only major difference is that even less savvy Internet users are aware that someone is probably logging each and every time the graphic is viewed. In the same spirit as with security flaws in applications, the authors of this article feel that it's better to make as many people as possible aware of these techniques and then let them decide how to use the information. This is, after all, real-world stuff that is regularly used by Web programmers at Microsoft, Barnes & Noble, and other major direct e-mailers. So in that spirit, let's look at some example code in Listing 1.

This simple example uses a custom tag called <CFX_NSLookup> free from Lewis Sellar's Intra foundation (www.intrafoundation.com/freeware.html), and is used to get the user's domain name from the IP Address. We will use CFTRY tags to catch any possible logging failures and just send the image anyway. Finally, we use CFSETTING to suppress any extra white space that might be generated by our code formatting. To avoid problems with Web browsers, the only output we need or want comes from CFCONTENT.

So there you have it. When the Web browser or e-mail client loads the HTML containing <IMG SRC=" www.myserver.com/images/send_graphic.cfm">, their IP address, the date, and possibly their domain name are logged in a database and the graphic sent, and the uneducated viewer is none the wiser.

Advantages of using CFCONTENT to serve graphics are:

1. The actual location of the file does not have to be in the accessible Web path. (This is good if your users are paying for the files, such as graphics libraries, PDF reports, or install EXEs.)
2. You can include code in the template that can log access to the file.
3. The file to be displayed can be dynamically selected based on other criteria; for instance, random image display, and graphic size based on connection speed.

Web bugs graphics let you track who reads e-mail or Word documents. ColdFusion can server up smart Web bugs or any other dynamic graphic using CFCONTENT.

Resources
1.Web bug FAQ: www.eff.org/pub/Privacy/Profiling_cookies_webbugs/web_bug.html
2. General privacy site: www.privacyfoundation.org/

• Source Code