|
Hi Spike,
Now you've got me really confused.
I thought I was asking "how do I pick up
the username that logged in to the windows session", but given that there's a
password that I can also pick up then that doesn't sound real
secure???
What username / password are you talking
about?
Thanks,
Phil.
----- Original Message -----
Sent: Tuesday, June 17, 2003 4:39
PM
Subject: [cfaussie] RE: cflogin
You should be able to read the username and password
out of the HTTP headers that are sent to the
server:
getHTTPHeaders()
Somewhere in there you will find the
encoded username and password.
They are encoded to base64, so you
should be able to decode them without too much trouble using this
code:
<cfscript>
encoder =
createObject('java','coldfusion.wddx.Base64Encoder');
cleartext =
encoder.decode(encodedheader);
</cfscript>
That should give
you username:password as clear text providing you have the right http
header.
Also, this will only work if your webserver is using simple
encryption.
I don't have a set-up I can test this on right now, but
hopefully you get the idea.
Spike
Phil Evans wrote:
I've always just written my own, with the
username saved in a cookie, and they enter the password each
time.
Works fine, but I've always wondered about how
to get integrated windows
authentication?
I'd prefer to avoid cflogin if possible.
Any tips?
Thanx,
Phil.
-----
Original Message -----
Sent:
Tuesday, June 17, 2003 4:07 PM
Subject:
[cfaussie] RE: cflogin
The main advantages are:
It gives you a single sign
on mechanism for flash, integrated windows authentication and
ColdFusion
It provides you with a standard mechanism for specifiying
the roles to which a user belongs and a native function to test for role
membership.
It provides you with a standard mechanism to get the
username of the logged-in user.
The main disadvantages are:
It
gives you a single sign on mechanism which provides a wider target for
script kiddies
It puts the username and password into the
authentication cookie without encrypting them. It's a session cookie, but
it's a potential problem nonetheless.
It does not provide any standard
mechanism to tie roles to permissions, so you usually end up either hard
coding permissions per role, or building your own mechanism.
On
balance, if you're comforatable writing your own code and you're sure that
your own login process is secure you might as well avoid cflogin. If
you're not 100% sure that your own login process is secure, it is probably
worth taking a second look at cflogin.
my
2c
Spike
Mark M wrote:
I am probably going to start a big hoo haa saying this, but I
personally
dont see the point of CFLOGIN apart from the user roles within CFCs.
That
is the only functionality it provides.
Corrections please?
I'll second that one.
How hard is it to go 'session.userloggedIn = true'
Ouch... my pinky hurts :oD
Mark
-----------------------------------
[EMAIL PROTECTED]
ICQ: 3094740
Safe From Bees
[www.safefrombees.com]
---
You are currently subscribed to cfaussie as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
MX Downunder AsiaPac DevCon - http://mxdu.com/
---
You are currently subscribed to cfaussie as:
[EMAIL PROTECTED]
To
unsubscribe send a blank email to [EMAIL PROTECTED]
MX
Downunder AsiaPac DevCon - http://mxdu.com/ ---
You are
currently subscribed to cfaussie as: [EMAIL PROTECTED]
To unsubscribe
send a blank email to [EMAIL PROTECTED]
MX
Downunder AsiaPac DevCon - http://mxdu.com/ ---
You are
currently subscribed to cfaussie as: [EMAIL PROTECTED]
To unsubscribe
send a blank email to [EMAIL PROTECTED]
MX
Downunder AsiaPac DevCon - http://mxdu.com/
---
You are currently subscribed to cfaussie as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
MX Downunder AsiaPac DevCon - http://mxdu.com/
|
