[cfaussie] RE: cflogin

[spike]

You should be able to read the username and password out of the HTTP headers that are sent to the server: getHTTPHeaders() Somewhere in there you will find the encoded username and password. They are encoded to base64, so you should be able to decode them without too much trouble using this code: <cfscript>   encoder = createObject('java','coldfusion.wddx.Base64Encoder');   cleartext = encoder.decode(encodedheader); </cfscript> That should give you username:password as clear text providing you have the right http header. Also, this will only work if your webserver is using simple encryption. I don't have a set-up I can test this on right now, but hopefully you get the idea. Spike Phil Evans wrote: I've always just written my own, with the username saved in a cookie, and they enter the password each time. Works fine, but I've always wondered about how to get integrated windows authentication? I'd prefer to avoid cflogin if possible.   Any tips?   Thanx, Phil. ----- Original Message ----- From: spike To: CFAussie Mailing List Sent: Tuesday, June 17, 2003 4:07 PM Subject: [cfaussie] RE: cflogin The main advantages are: It gives you a single sign on mechanism for flash, integrated windows authentication and ColdFusion It provides you with a standard mechanism for specifiying the roles to which a user belongs and a native function to test for role membership. It provides you with a standard mechanism to get the username of the logged-in user. The main disadvantages are: It gives you a single sign on mechanism which provides a wider target for script kiddies It puts the username and password into the authentication cookie without encrypting them. It's a session cookie, but it's a potential problem nonetheless. It does not provide any standard mechanism to tie roles to permissions, so you usually end up either hard coding permissions per role, or building your own mechanism. On balance, if you're comforatable writing your own code and you're sure that your own login process is secure you might as well avoid cflogin. If you're not 100% sure that your own login process is secure, it is probably worth taking a second look at cflogin. my 2c Spike Mark M wrote: I am probably going to start a big hoo haa saying this, but I personally dont see the point of CFLOGIN apart from the user roles within CFCs. That is the only functionality it provides. Corrections please? I'll second that one. How hard is it to go 'session.userloggedIn = true' Ouch... my pinky hurts :oD Mark ----------------------------------- [EMAIL PROTECTED] ICQ: 3094740 Safe From Bees [www.safefrombees.com] --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MX Downunder AsiaPac DevCon - http://mxdu.com/ --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MX Downunder AsiaPac DevCon - http://mxdu.com/ --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MX Downunder AsiaPac DevCon - http://mxdu.com/ --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MX Downunder AsiaPac DevCon - http://mxdu.com/