The only way I can figure how to secure folders, is to include a basic Application.cfc in every-single-one including sub-folders.
If file /test/thisfile.cfm is secure and sends a user not logged in to the login page, however the folder /test/test2/ must also have an Application.cfc or a user could directly go to test/test2/thatfile.cfm without a problem.
I know there has to be a better way than this, I'm just not sure what it is and everything on Google is telling me to use the "Login Wizard" or to install a framework. Neither of which is an option for me.
Another consideration, this must work in MX 7 unfortunately. If there are better options in CF 9, then I would be happy to hear them, but the priority is MX 7.
Without an Application.cfc file or an MVC Framework, you can manually start each "secure" CFM file with a check for a session variable:
<cfif (NOT structKeyExists( session, "isLoggedIn" )) OR (session.isLoggedIn = false)>
<cflocation url="/" />
</cfif>Of course, this is a very laborious and not easily maintained practice, but sometimes you just work with what you got.