This is really on the back of an earlier email (last week?) about Application.cfm and CFC's.
can anyone verify that I'm on the right track and/or point out any problems? say for arguments sake a Flash remoting app requires a login for use. OK, send username and password to a CFC for authorisation, set the http session value (I prefer the jSessionID - long story) and store a couple of values in session - first name and an authorisation level. now that session is between the webserver and the browser holding the *.swf, yes? It's the HTTP transport that has the session, not the Flash app, yes? so if I wanted to check that the CFC method request comes from an authorised user, I have that wrapped up in the <cffunction>? possibly a method that "OK's" all CFC requests and then calls the functions as private methods - acting as an authorisation "broker" between the CFC functionality and the user. is this the best way to go about this? I suppose I could have an alternative to using sessions - send back a loginID as data to Flash when they first get authorised. Store that as a global (Flash) variable and re-send that LoginID on every request to the CFC. Unfortunatly, that means that all requests will have to be over https, not just the initial login. I'm just wanting to maintain sessions and only allow authorised requests to the CFC's methods. any ideas/comments/flames most welcome thanx barry.b --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MX Downunder AsiaPac DevCon - http://mxdu.com/
