Ok, let me restate to be sure that I understand... The security issue for counting login attempts is that a User can continue attempts so long as they remove CFID & Token from the URL and turning off / deleting cookies. This can be countered by:
1. Tracking failed logon attempts to IP address. These would have to be saved in either DB, file, or Application Variable, then compared before each logon attempt 2. Once a valid User ID has been entered, track unsuccessful attempts, then email User if attempts exceed a certain number. You could also lock the account and require user to return Email, click on link, or otherwise re-activate their account. 3. What else....... Andy -----Original Message----- From: Jochem van Dieten [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 8:05 AM To: CF-Talk Subject: Re: Session Variables (was Login/Password screen) Quoting Andy Ousterhout <[EMAIL PROTECTED]>: > > What do you mean, maintained on the client? The client has to send the CFID and CFToken. If the client doesn't do that, the server will not be able to associate the appropriate session variables with the client request. That is not a problem when users are logged out when the session fails, but leaves a security risk if the client is allowed more when the session is not present. Simply refusing the cookies with the CFID and CFToken would give me an unlimited number of login attempts. Always design systems with a fail-close behaviour. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.