>>The login script checks for a session >> variable, or presence of the cookie.
> The presence of the cookie should not be enough to be logged. > Keep the userId in the cookie for user code preset in the login form, > but use the session variable only to test for login done. Absolutely. Use a session variable. Clear the variable on log-out and, if appropriate, expire the cookie. The trick is to check for the session variable on every secure page. If not... away you go evil hacker. Robert B. Harrison Director of Interactive services Austin & Williams 125 Kennedy Drive, Suite 100 Hauppauge NY 11788 T : 631.231.6600 Ext. 119 F : 631.434.7022 www.austin-williams.com Great advertising can't be either/or... It must be &. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Check out the new features and enhancements in the latest product release - download the "What's New PDF" now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:290988 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
