Yes, it's expected behaviour. Your CFLOGIN tag will fire for non-logged-in requests, and the cflogin structure will be populated by HTTP Basic Auth credentials. If you then validate that information against a database or something, it's entirely possible to be logged in to both "things" (apache and your app) with a single request.
If you want to avoid that from happening, I think the only thing you can do is not use the CFLOGIN struct for your application-level authentication, and instead use something else (like differently named FORM fields). I've never used HTTP auth with a CF application though, so it's entirely possible (likely even) that I'm missing something. cheers, barneyb On Fri, 10 Dec 2004 12:57:57 -0000, Edward Chanter <[EMAIL PROTECTED]> wrote: > Dear All, > > This is a bit of a weird one... I'm trying to use apache to protect a folder > on the web server using the .htaccess file and relevant command lines to > create users etc. After a bit of playing around with it I got it working > just fine. Then I tried to implement a CF auth framework on the same > directory using a known good mx code base, and suddenly when I log in via > apache cf's GetAuthUser() function treats me as if I'm logged in as well... > Is this something it's supposed to do or have I done something wrong when I > was setting it up? More importantly is there a way to stop this > behaviour...? > > Thanks in advance for any insight :-) > > best wishes, > > -= Ed -- Barney Boisvert [EMAIL PROTECTED] 360.319.6145 http://www.barneyb.com/blog/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Special thanks to the CF Community Suite Silver Sponsor - CFDynamics http://www.cfdynamics.com Message: http://www.houseoffusion.com/lists.cfm/link=i:14:3792 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/14 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:14 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.14 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
