Generally speaking, here's what I do:
Upon successful login, set a session variable to an ID from the database
that points to their username record in the DB. If that variable is not
defined then you redirect them to the login page w/ instructions that
their login has expired and need to re-login.
A few things I feel I should mention also:
Never pass this id around in forms or on query strings. This shouldn't
need to be stated, but if you write code that's looking for something on
the query string to prove that they've validated there's nothing to
prevent somebody from calling up a page like:
your_page.cfm?login_id=200
Never assume that the user has logged in just because nothing else links
to it except a page which required a login. Again, there's nothing
preventing somebody from directly accessing the page.
The above two points are rather elementry, but I've seen enough developers
do stuff like this to bring it to the attention of a self-admitted
"newbie".
Justin Buist
On Wed, 25 Jul 2001, Roberts, William C wrote:
>
> So if I'm using authentication via the Web server, then how do I kill their
> login to the Web server? The only way I know of killing it is by closing the
> browser window. Any ideas? Please help a "newbie" on this subject.
> Thanks!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
------------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body or visit the list page at www.houseoffusion.com
