I would advise against storing user data in a literal way in a cookie. We ran into a situation where the user's ID was stored in a cookie. By changing the cookie, I could impersonate any user.
Client variables (you're using a DB for them, right?) might be a good way to avoid that, though, since they don't store an easily recognizable or fudgable ID (like the auto-incremented ID key for users 0-:) --Ben Doom Dennis Powers wrote: >>> therefore I have a max session timeout of 20 minutes. > >>> we store username in their session > >>> My problem lies with a user typing and typing and going over their >>> timeout limit of 20 min. > > I ran into a similar problem with a website where people would start > something get interrupted leave the page open come back finish and submit > only to find the session had expired and the work seemd lost beasue they had > to login again. Javascript keep alive was unreliable so I had to re-think > the authentication plan and eventually changed it to store the login > information in a cookie. That way once they logged in they they could take > as long as they wanted because if the session expired the application would > log them back from the cookie information and accept the post. > > Best Regards, > > Dennis Powers > UXB Internet - A website design and Hosting Company > 690 Wolcott Road > P.O. Box 6029 > Wolcott, CT� 06716 > Tel: (203)879-2844 > http://www.uxbinternet.com/ > http://www.uxb.net/ > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297072 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
