Although I'm a little unclear of your exact intentions and question, I
assume it has to do with the length of time the client variables persist.
You want a shorter amount of time that the variables are stored on the
server. The best way to do this is to set the client variable purge field to
0.1 days, which purges client vars every 2.4 hours. The other solution is to
use session variables which you can purge out every few minutes or so.
In case you didn't know this (but it sounds like you do by the tone of your
post), if you set the timeout for 2.4 hours or something, that doesn't mean
that the client's session is only "live" for 2.4 hours. It means that the
client vars will be purged 2.4 hours after the last hit to those variables.
Therefore, if a user is using the site for 15 hours solid (no breaks), s/he
will not lose their session/client vars during that time. The point at which
they become "dormant" and don't hit any of those vars, then the countdown
begins to 2.4 hours. In reality, everytime the client hits their variables,
the count starts over again.
Did I answer your question?
Nat Papovich
Webthugs Consulting
ICQ 32676414
"People don't know the bandwidth of a FedEx truck full of diskettes."
-William Gibson
> -----Original Message-----
> From: Dave McKenna [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, December 02, 2000 11:37 AM
> To: Fusebox
> Subject: (In)Securing a FuseBox Application
>
>
> Okay, so I've read Chapter 7 of The (most excellent) Book. I
> think there's
> something I've missed, though; it appears to me that the
> security model is
> fundamentally based on the use of client variables, which
> persist across
> client sessions - wherein lies my problem. The FIRST login
> seems fine, when
> a new user registers & logs in, and CLIENT.USER_ID is set by
> app_Login.cfm.
> The pages that I want to secure should reference
> app_Secure.cfm, which then
> looks for CLIENT.USER_ID; if it's defined, no login is
> required. That's
> where my eyebrows raised. I've got the default setting in
> the Administrator
> for client variable purging, which is 10 days. So, if my
> user returns any
> time in the ensuing 10 days after they are first determined to be a
> "registered user", they don't need to log in. HOWEVER...
> client variables
> are tied to the browser, not the user. I know essentially
> nothing about the
> environment from which my users may be accessing my site;
> sure, they might
> be at home or on their "own" PC at work, but they may also be
> a university
> student using a shared PC in a Computer Lab, etc... Meaning,
> of course, that
> multiple users viewing my site from the same computer appear
> to be the same
> user to the security system.
> So, what have I missed? There's a couple of workarounds I
> can think of off
> the top of my head, but I'm interested to know what the
> intent of the model
> proposed in the book is.
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
