For the last seven years, I have used IIS and basic authentication to log in to our intranet web site. We tied in to Active Directory for the user database. Now, we are building a new online admission application where the applicants will not yet have an Active Directory account. Therefore, it will be a simple form -> DB check process. Once the user is authenticated, they will stay logged-in until they close their browser. In other words, some of the forms may be considerable in length and we don't want to lose a session in the midst of completing a form. It's been years since I built a form-based authentication system. I have no problem confirming the credentials, but I'm fuzzy when it comes to keeping the user logged-in. I know I need to create a browser-based session cookie that will expire when the browser is closed. However, what will go in that cookie? The credentials are an email address and a security token. I can see a few ways of handling this: 1. Encrypt the credentials and store in the cookie. Then, decrypt the values each time another page is requested. 2. Create a UID and store that in the cookie. In addition, that UID would also be stored in the user's record on the DB. On each request, I would compare the cookie to the DB and then return that user's information. Or, should I use a CF session and have the browser do a regular heartbeat to keep the session active? Thanks for any suggestions. Mike
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323453 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
