I've tweaked the code from the easycfm.com tutorial for the user
authentication (login) area so that the user will be redirected to the
directory on the server that is their username.
http://tutorial8.easycfm.com
I've also placed the application.cfm file in each directory that needs
to be authenticated. If the user bookmarks and tries to access the
directory without first being authenticated, it will take them back to
the login.cfm file at the root level. The works well but when the user
is authenticated for their particular directory, they could (if they
happen to know the names of the other directories) access all
directories.
Is there a way to set the <cfset session.allowin = "True"> back to False
anytime the user leaves the directory they're in? When I tried to
redirect the user back to login.cfm with a <cfif NOT isDefined
('session.allowin')>, it would always throw me back to the login page.
Can this be done as I've tried to explain it?
-----Original Message-----
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 07, 2004 10:30 AM
To: CF-Talk
Subject: RE: End of session
> Parts of the application I'm working on are usable to
> unauthenticated users and parts are not. In my cflogin I'm
> looking at whether the user's request should be authenticated
> or not. The issue I've run into is when the user's session
> times out while they're using the app, and the next click is
> for an unauthenticated area. Rather than have the user
> continue to the unauthenticated area and receive the public
> navigation bar (as opposed to the authenticated navigation)
> I'd like the user to be forwarded to the login screen.
>
> In the list archives there's an exchange about wanting an
> ASP-style OnEndSession event and how that doesn't really
> exist in CF. Assuming that's still true, does anyone have a
> workaround? One thing that comes to mind is letting the user
> know their session is timing out via popup.
> The other option might be appending a URL parameter whenever
> the user is logged in. The logic in the cflogin would see
> that the user isn't logged in and that the URL parameter says
> they were and therefore the user should be directed to the
> login screen rather than the public area they were requesting.
I would probably use a cookie instead of a URL parameter, but in
general,
your idea about having a separate token for previously authenticated
users
is how I think I'd handle the situation, if I wanted the same outcome as
you.
But why not just let the user decide that for herself? You can let the
user
know when logging in how long a session will last, and document what
happens
when a session ends, so that the user can choose to login again if
that's
appropriate, or skip it if it's not necessary. I realize that this might
not
be appropriate for your situation; I'm just throwing it out there as a
possibility.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
