>> login authentication in the session scope and let J2EE session >> variables manage the sessions.
Web servers are send and forget devices. The only way to maintain session state is to use cookies or explicitly add ID's (which are normally in the cookies) that the server can track to forms and URLs. This is irrespective of the application server technology. >> My understanding is that the customer does not permit their employees >> to use cookies on their machines. >From a security perspective cookies are a better option because passing ID's in the open can result in session hijacking when someone bookmarks a link. As unadvisable as it is your only option is to add the session tokens to every URL and form if you detect that cookies are not enabled. This unfortunately will open a public web application to session hijacking if people share links or bookmark URLs within the application. Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354439 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
