Thank you both for the assistance. I was trying to stay away from session variables, but I think I will just increase the session timeout to a couple of hours and not worry about the method I was wanting to implement.
We won't have so many users that it would put a strain on our web server. Thanks, Mike -----Original Message----- From: Arsalan Tariq Keen [mailto:[email protected]] Sent: Saturday, June 13, 2009 8:47 AM To: cf-talk Subject: Re: User Authentication without Session Expiration I suggest, you keep the credentials encrypted or decrypted as you wish, but keep them on the Application server in the session scope and for the browser thingeee.... use a simple cookie to maintain the heartbeat. You can use a cookie by the name 'logedin' and set its value true. Every time a new page is requested check for the session scope and the browser cookie to have the mentioned value. If the session scope expires then the user will have to sign-in again. However, if the cookie expires, lets say bcoz of closing the browser window on the client side, you can redirect the user to the signin page where its username is already being displayed and you ask for password AGAIN to continue. Something which often happens on yahoo and hotmail :) -------------------------------------------------- From: "Dawson, Michael" <[email protected]> Sent: Saturday, June 13, 2009 7:17 PM To: "cf-talk" <[email protected]> Subject: RE: User Authentication without Session Expiration > > No one has any suggestions for this issue? > > _____ > > From: Dawson, Michael [mailto:[email protected]] > Sent: Fri 6/12/2009 10:24 AM > To: cf-talk > Subject: User Authentication without Session Expiration > > > > > For the last seven years, I have used IIS and basic authentication to > log in to our intranet web site. We tied in to Active Directory for > the user database. > > Now, we are building a new online admission application where the > applicants will not yet have an Active Directory account. Therefore, > it will be a simple form -> DB check process. Once the user is > authenticated, they will stay logged-in until they close their browser. > In other words, some of the forms may be considerable in length and we > don't want to lose a session in the midst of completing a form. > > It's been years since I built a form-based authentication system. > > I have no problem confirming the credentials, but I'm fuzzy when it > comes to keeping the user logged-in. I know I need to create a > browser-based session cookie that will expire when the browser is > closed. However, what will go in that cookie? > > The credentials are an email address and a security token. > > I can see a few ways of handling this: > 1. Encrypt the credentials and store in the cookie. Then, decrypt the > values each time another page is requested. > 2. Create a UID and store that in the cookie. In addition, that UID > would also be stored in the user's record on the DB. On each request, > I would compare the cookie to the DB and then return that user's > information. > > Or, should I use a CF session and have the browser do a regular > heartbeat to keep the session active? > > Thanks for any suggestions. > > Mike > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323523 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
