CFID & CFTOKEN are used to identify a "SESSION" not a "USER." this is an
extremely important distinction. if somebody logs in on a different
computer, or uses a different browser on the same machine, while using the
same username/password, there may be more than one "SESSION" open for that
"USER." The relationship between a SESSION and a USER account in a
database is entirely superficial and is defined by the programmer, not by
Cold-Fusion. If you have a SESSION variable called "USER_ID" then that's
how you're defining the relationship between the two. You could just as
easily call it "CHICKEN". Additionally, a SESSION is started as soon as
the first page request is made, so in that case you have an active SESSION
even before the USER logs in and is authenticated by your database.
Note also, that if you are using "session variables" to maintain state
after login, and you are not explicitly referencing CFID and CFTOKEN, you
are probably still using them (when cookies are enabled for session
management, CFID and CFTOKEN are sent transparently with every page request
as a cookie, even though you may not be aware of it.)
Hope that helps a little.
--Brendan Avery / [EMAIL PROTECTED]
At 03:03 PM 1/8/2001 -0500, you wrote:
>I have been programming in CF for about a year now and am still confused
>about the whole CFID & CFTOKEN thing. Most of what I have done involves
>internal corporate reporting, so I already have a user database with UserIDs
>that I use to recognize the user. Therefore I've had little need for CF
>generated IDs.
>
>I understand the basic concept CFID & CFTOKEN (please correct any flawed
>thinking):
>
>1. Assign a unique CFID & CFTOKEN pair to a new web user.
>2. Either store them as cookies, a database or pass them from page to page
>via the URL string to identify the user.
>
>Maybe I'm off base, but I see a number of potential problems/issues:
>
>1. If you have a login in your app, your users will not use the CFID to
>login, but rather a UserName/UserID of some sort. If that is the case why
>duplicate the identifying info by maintaining both a UserName/UserID and a
>CFID?
>
>2. I the user logs in from a different computer, s/he will be assigned a new
>CFID & CFTOKEN, correct? How does that serve to identify the user? Having a
>basic login with a chosen userid (one they can hopefully remember, "smithj",
>rather than CFID=23451) seems to do the trick just fine.
>
>I guess my main question is "if" you have to maintain a separate UserID from
>CFID & CFTOKEN, why use them at all. If you don't need to maintain a
>separate UserID, How would you log a user into an application? with their
>CFID?
>
>Just a bit confused about how this fits together. Any clarification would be
>great?
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
