cgi.auth_user is what I use. If an end user is operating someone else's computer under their login it is a security breach on the part of the computer owner and the operator. That is a "people" issue more than a technical issue.
I grab cgi.auth_user and compare that against a database table of permissions that I maintain. The end user never needs to log into my application because the permissions I have set up are dictated by cgi.auth_user. I don't need to maintain passwords for people because the network group takes care of that. All I am concerned with is that the end user is authenticated on the network. So, in application.cfm, I grab cgi.auth_user and run it against a database table that contains a list of directories that person has access to. I then use CF to tell me what the current directory is. If there is a match, show the page. If there is NOT a match, <CFLOCATION> them off to an access request page. It may seem like overkill to ask for cgi.auth_user on every page access, but it also keeps people from doing something like manually adding a variable to the end of an address string to override cgi.auth_user. -Tim ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:203810 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
