> Actually, the way I do it is set a cookie. Then at the top of all the
pages
> that are "login" protected, I check for the cookie.. if it exists I know
> they are logged in since the cookie can't be set unless they are
> successfully login.
What type of cookie do you set? The biggest mistake I see people make with
session management is just setting a Member_ID cookie that holds their
record ID, or a "loggedin" cookie, or some other very insecure means.
The problem with doing this is that using some very crafty perl script, or
even something as simple as the a cookie editor, someone could crack into
your site and get personal/confidential information, or even cause major
damage.
The way to combat this is to make the session cookie something that nobody
would be able to crack, like setting it with something like this...
<!--- Create the session value of doom. --->
<CFSET Variables.New_Session_ID = CreateUUID() & Right(GetTickCount(), 6)>
<!--- Assign it to the given user in the database for authentication. --->
<CFQUERY DATASOURCE="#Variables.DS#">
UPDATE Member_Table SET Session_ID = '#Variables.New_Session_ID#'
WHERE Some_Condition = Met
</CFQUERY>
<!--- Set the session cookie (or session variable, take your pick) to
identify them. --->
<CFCOOKIE NAME="session_id" VALUE="#Variables.New_Session_ID#">
Using this method ensures that nobody will "spoof" the session cookie and
crack into your member pages. If anyone finds a flaw in that method, please
let me know (cause I use it on lots of sites).
_______________________________________
Justin Scott :: [Staff Developer]
http://www.annex.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
https://secure.houseoffusion.com
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
