And one more thing... SSL really doesn't matter because you're not going to use it everywhere on your site, only in some places, so everywhere else that doesn't use SSL is still exposed.
You should always use loginStorage="Session" and combine this with a solid session syndication mechanism. If you're running BlueDragon.NET then your best bet is ScaleOut StateServer. The built-in freebie state server that comes with Windows craps out around three machines in most cases. Respectfully, Adam Phillip Churvis Certified Advanced ColdFusion MX 7 Developer BlueDragon Alliance Founding Committee Get advanced intensive Master-level training in C# & ASP.NET 2.0 for ColdFusion Developers at ProductivityEnhancement.com ----- Original Message ----- From: wolf2k5 To: CF-Talk Sent: Saturday, March 25, 2006 5:02 AM Subject: Re: cflogin and load balancing On 3/24/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > If I'm not mistaken, *authorization* (not authentication) can't work across multiple CF servers -- clustered or not -- because there's no mechanism for specifying *roles* on any computer other than the one on which CFLOGINUSER was executed. But if the cflogin cookie is there, the second server will automatically execute the cflogin/cfloginuser code, effectively re-logging in the user and re-assigning him the roles automatically. Besides the security concerns (username/password in the cookie), that can be somewhat mitigated using HTTPS, do you see any other issue with this? Thanks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236219 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
