Some pointers here: http://www.bennadel.com/blog/1131-Ask-Ben-Ending-ColdFusion-Session-When-Use r-Closes-Browser.htm
The idea is to set up the session expiration in CF admin to a few hours (which should give the users enough time to complete the form), authenticate the user using whatever method you need, and then programmatically delete the session when the browser is closed. Or use J2EE session id (set up also in CF Admin). Hopefully the link will help. Marius -----Original Message----- From: Dawson, Michael [mailto:m...@evansville.edu] Sent: June 13, 2009 9:18 AM To: cf-talk Subject: RE: User Authentication without Session Expiration No one has any suggestions for this issue? _____ From: Dawson, Michael [mailto:m...@evansville.edu] Sent: Fri 6/12/2009 10:24 AM To: cf-talk Subject: User Authentication without Session Expiration For the last seven years, I have used IIS and basic authentication to log in to our intranet web site. We tied in to Active Directory for the user database. Now, we are building a new online admission application where the applicants will not yet have an Active Directory account. Therefore, it will be a simple form -> DB check process. Once the user is authenticated, they will stay logged-in until they close their browser. In other words, some of the forms may be considerable in length and we don't want to lose a session in the midst of completing a form. It's been years since I built a form-based authentication system. I have no problem confirming the credentials, but I'm fuzzy when it comes to keeping the user logged-in. I know I need to create a browser-based session cookie that will expire when the browser is closed. However, what will go in that cookie? The credentials are an email address and a security token. I can see a few ways of handling this: 1. Encrypt the credentials and store in the cookie. Then, decrypt the values each time another page is requested. 2. Create a UID and store that in the cookie. In addition, that UID would also be stored in the user's record on the DB. On each request, I would compare the cookie to the DB and then return that user's information. Or, should I use a CF session and have the browser do a regular heartbeat to keep the session active? Thanks for any suggestions. Mike ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323486 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
