As I was reading your post, the obvious solution seems to be session variables, but I can't stand them either. So I was thinking how about handle it like Windows does. Network admins are always trying to get people to log out of their computers when they leave their desk. Of course, they never do. So the solution is to have the password screensaver comes up after a certain amount of inactivity, and when the user comes back they have to type their password in again. So I think one possible solution would be to keep track of a users activity, on every page view check to see how long it was since their last page view, if it was over the time limit, kick them back to the login prompt, and then delete the client variables. Sort of a pseudo session var system, without the reliability problems. I'd keep the information in an application scoped structure of some sort, that way down the road you can build an app that lets you see who is logged on. Another enhancement would be to write a bit of javascript to every page with a setTimeOut() of how much time they have left to click on something and once the clock runs out, kick them to the login prompt automagically. It think there is an article out there on how to do this in CF. HP's shopping cart does this right now too...so you could see how they are doing it.
jon's .02 ----- Original Message ----- From: "Todd" <[EMAIL PROTECTED]> To: "CF-Community" <[EMAIL PROTECTED]> Sent: Wednesday, March 20, 2002 4:21 PM Subject: Re: Using Client Variables for security > I prefer them too and we are using them in a database. The problem is, some > dude with level 4 access closes the browser without logging off. Someone > comes along within the 1 hour timeout limit and opens the browser and > suddenly has access to level 4 commands, because they hijacked the identity > of the other guy. Now, when the browser closes, I can delete the cookies, > but that would ruin the session for the other browsers that are open in the > site .. this is a bad thing. > > Any idea how I can kill Client variable session when closing a browser > without killing all sessions for all browsers? > > Todd Ashworth > Macromedia Certified Professional > Web Application Developer > > SCD, Inc. > Oak Hill Business Park Suite H > 8848 Red Oak Blvd. > Charlotte, NC 28217 > 704-523-0905 [178] (Voice) > www.scdinc.com > > ----- Original Message ----- > From: "Nick McClure" <[EMAIL PROTECTED]> > To: "CF-Community" <[EMAIL PROTECTED]> > Sent: Wednesday, March 20, 2002 3:27 PM > Subject: Re: Using Client Variables for security > > > > I like client variables, in fact I prefer them, how ever I use a Database > > to store the vars in and not cookies. > > > > If you do it that way then the only difference between client and session > > is if they are stored in Web Server ram or the Database. The normal > cookies > > will always be there no matter which side you use. > > > > At 03:23 PM 3/20/2002 -0500, you wrote: > > >Does anyone know of any good tutorials/articles about locking down a site > > >that uses Client variables for security? My boss seems to think Session > > >variables are the way to go and wants to go through the headache of > > >converting all of the Client Variables in our rather large intranet to > > >session variables. Obviously, I don't want to do this because I just > know > > >about 30 things are going to break. I'm of the opinion that there it > mostly > > >doesn't matter which I use as long as everything is done right. > > > > > >One of the main concerns he has is what if someone closes the browser > > >without logging off. I gave him a way that could be taken care of. He > > >asked, won't that kill their session on all of the browsers they have > open > > >on our site? I said, yep. He said, I don't want that. Anyone have any > > >ideas for me? > > > > > >Todd > > ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
