Okay, so I've read Chapter 7 of The (most excellent) Book. I think there's
something I've missed, though; it appears to me that the security model is
fundamentally based on the use of client variables, which persist across
client sessions - wherein lies my problem. The FIRST login seems fine, when
a new user registers & logs in, and CLIENT.USER_ID is set by app_Login.cfm.
The pages that I want to secure should reference app_Secure.cfm, which then
looks for CLIENT.USER_ID; if it's defined, no login is required. That's
where my eyebrows raised. I've got the default setting in the Administrator
for client variable purging, which is 10 days. So, if my user returns any
time in the ensuing 10 days after they are first determined to be a
"registered user", they don't need to log in. HOWEVER... client variables
are tied to the browser, not the user. I know essentially nothing about the
environment from which my users may be accessing my site; sure, they might
be at home or on their "own" PC at work, but they may also be a university
student using a shared PC in a Computer Lab, etc... Meaning, of course, that
multiple users viewing my site from the same computer appear to be the same
user to the security system.
So, what have I missed? There's a couple of workarounds I can think of off
the top of my head, but I'm interested to know what the intent of the model
proposed in the book is.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
