>I think the scheduled process would be unnecessary. If you're offloading
>your authentication to NTLM and a user does not exist in the Spectra db, you
>would simply create an account (or even be really cool and send them to a
>profile page on their first "hit" where they could customize some of their
>info)
-- Agreed. The more I think about this way of doing things, the more it makes
sense. I don't see any obvious security holes... you're not going to be able to access
any .cfm templates unless you first get by the webserver security, thus your NT
username and password must be entered. Hypothetically I could see a user logging in
with their NT username and password and then somehow modifying cgi.auto_user when it's
sent to the server, thus letting them access someone elses account if they knew
someone elses username... oohh well.
>As far as unscrupulous developers go, there's not much protection from them
>under any circumstances so no point in complicating things to avoid things
>that simply can't be avoided.
-- The only way a developer is going to get access to Jeremy's NT password in the
aforementioned example is by using a password cracking tool on the local machine or a
network sniffer, which hopefully a network admin would notice.
Aaron
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/spectra_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
