Re: cflogin and load balancing

Sun, 26 Mar 2006 10:25:39 -0800 

> And one more thing... SSL really doesn't matter because you're not going to 
> use it everywhere...

As in, "SSL really doesn't matter with respect to your assumption that it 
somewhat mitigates the security concerns about cookie values being exposed."  
Of course SSL matters with respect to just about everything else. :)
Respectfully,

Adam Phillip Churvis
Certified Advanced ColdFusion MX 7 Developer
BlueDragon Alliance Founding Committee



Get advanced intensive Master-level training in
C# & ASP.NET 2.0 for ColdFusion Developers at
ProductivityEnhancement.com

  ----- Original Message ----- 
  From: Adam Churvis 
  To: CF-Talk 
  Sent: Sunday, March 26, 2006 1:18 PM
  Subject: Re: cflogin and load balancing


  And one more thing... SSL really doesn't matter because you're not going to 
use it everywhere on your site, only in some places, so everywhere else that 
doesn't use SSL is still exposed.

  You should always use loginStorage="Session" and combine this with a solid 
session syndication mechanism.  If you're running BlueDragon.NET then your best 
bet is ScaleOut StateServer.  The built-in freebie state server that comes with 
Windows craps out around three machines in most cases.
  Respectfully,

  Adam Phillip Churvis
  Certified Advanced ColdFusion MX 7 Developer
  BlueDragon Alliance Founding Committee



  Get advanced intensive Master-level training in
  C# & ASP.NET 2.0 for ColdFusion Developers at
  ProductivityEnhancement.com

    ----- Original Message ----- 
    From: wolf2k5 
    To: CF-Talk 
    Sent: Saturday, March 25, 2006 5:02 AM
    Subject: Re: cflogin and load balancing


    On 3/24/06, Adam Churvis <[EMAIL PROTECTED]> wrote:
    > If I'm not mistaken, *authorization* (not authentication) can't work 
across multiple CF servers -- clustered or not -- because there's no mechanism 
for specifying *roles* on any computer other than the one on which CFLOGINUSER 
was executed.

    But if the cflogin cookie is there, the second server will
    automatically execute the cflogin/cfloginuser code, effectively
    re-logging in the user and re-assigning him the roles automatically.

    Besides the security concerns (username/password in the cookie), that
    can be somewhat mitigated using HTTPS, do you see any other issue with
    this?

    Thanks.

    

  

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236220
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Reply via email to