Would it help if someone wrote a tutorial covering several different ways to
handle session management stuff? I'd thought about doing this on more than
one occasion, but I didn't know if it was something that would be useful in
the CF community or not. If anyone is willing, e-mail me at
[EMAIL PROTECTED] with details and possibly code samples with the way that
you manage sessions and I'll compile it all into a nice tutorial or web page
or something (or both).
Anyway, the method I find to work best for me is this...
1. User enters login_id/password.
2. Check to see if they're correct, if not throw error.
3. Assign a session ID variable using the CreateUUID() function.
4. Pop this variable into a session_id column in their row in the database,
then populate a Session_ID cookie or session variable with this value.
5. On pages that require a login, check for that value, then pull the needed
info from the database using their session_id cookie or session variable.
This info in this case would be the permissions for what database entries
they can update and such.
I find this to be fairly simple to use, and virtually impossible to spoof
since the CreateUUID() function is never supposed to generate the same ID
twice, and because the string is so long. Not to mention their session_id
value would change every time the user logged in. Even if someone did have
a good understanding of how that function generated values, it would not be
easy to guess the session_id of someone else in the system. The best way to
prevent that is to use session timing as well, but that's another topic
entirely.
One drawback is that the user would not be able to login from two different
browsers at once even on the same computer, although this is kind of good in
a way because it prevents multiple people from using a given account at the
same time.
If you have any questions about this method, or if anyone can see any
obvious flaws, please let me know <g>.
_______________________________________
Justin Scott :: [Staff Developer]
http://www.annex.com
> I'm basically just trying to create an application that requires login.
> depending on what id is used to log in with will depend on what pages that
> person can view and what fields in a shared database they will have access
> to view and or update. I'm still a newbie and use 3 different coldfusion
> books as a reference but still can't figure out how to set this up
> correctly. Does anyone know of any good web based tutorials on this
matter.
------------------------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message
with 'unsubscribe' in the body to [EMAIL PROTECTED]
