This goes beyond what you ask for but for good security and if you have a manageable number of client users you can issue x.509 certificates to them and use the SSL client digital certificate authentication by the web server. You'd need to set up your own Certificate Authority to issue certificates. The CA that comes with Windows 2000 Server is probably easiest to play with but there are open-source alternatives.
Once authenticated by the web server this gives you the contents of that client's certificate to play with, so things like email, username, company they work for etc. Because this is all taken care of by the web server you don't have to write any code to take care of this. You can still use existing challenge password if you like. On the web server end (I've done it on IIS and IPlanet) you basically install and set up your CA's cert as a trusted cert. This in turn means that any client certificate issued by your CA is trusted (you can be more granular than this if need be) and will be allowed to request pages. Because the use does not even get anywhere near an HTML of CF page if denied it removes the burden of writing the authentication code from the developer. Of course to be truly secure and use two-factor security you should still challenge the user for a password. -----Original Message----- From: Urs Bertschy [mailto:[EMAIL PROTECTED]] Sent: Monday, September 09, 2002 10:26 AM To: CF-Talk Subject: Implementing "remember me" capability I have built a role-based login/security-module with client vars in database storage. Now I am thinking about implementing a autologon-feature. In the login form a user can check a "remember me" checkbox an the app should recognize and logon the user automatically in any future sessions. How do you implement that, so that its still safe? I thought about storing the user date loginName and password (hashed) in a cookie. But I think this is not really a safe method. What do you think? ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
