I'm a bit uneasy about doing a periodic clean out because it their browser
does crash a user will try to re-connect and will have to wait for the next
cleanup to kick in.
Would it be possible to do something like this?
User arrives at the site with the relevant certificate fields set in their
cgi vars.
Set session.authenticated="TRUE", possibly insert the username and with
cookie CFID into an application level struct or array (I'm not expecting
large numbers of users so I'd prefer not to have to make a trip to the
database).
If that user tries to log in on another machine:
Search the application array to see if they're already logged in looking for
the right username and when you find it, you try to read their cookie CFID.
Deny access if you can read it, if you can't it means that their session has
ended and then go ahead and authenticate them.
How would you try to read another user's cookie though?
-----Original Message-----
From: Thomas Chiverton [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 04, 2001 10:38 AM
To: CF-Talk
Subject: RE: Concurrent users and client certificates
Seems fairly easy...
In you application.cfm you need to do something like:
a = username
b = locationname
if (select * from database where username=A => no records) and not
(session.ok != OK)
insert into database (UserName, Location, time) values
(A,B,now())
session.ok = OK
(1) else if (select * from database where username=A => 1 record) and
(query.location = B)
update database (UserName, Location, time) values
(A,B,now()) where username=a
session.ok = OK
else
print "Already connected"
fi
Periodicly, you need to go through the table and remove all records where
time is further ago than now() - lifetime_of_session.
Trouble is, when the user A closes their browser, then repoens it, we have
to force a login,, hence (1).
However, you still have problems if they close their browser, and open a new
one from a new location before the periodic clean out gets done - tune your
lifetimes down :-)
-----Original Message-----
From: Kevin Gilchrist [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 04, 2001 3:28 PM
To: CF-Talk
Subject: Concurrent users and client certificates
Hi all,
I need to meet a business requirement where the same user cannot be logged
in concurrently, i.e. if I log in a kgilchrist from one machine, I can't log
in again from another machine until at least the first session ends.
At the moment users are given a client certificate which I authenticate
against a database and I then set a few session variables to mark them as
authenticated etc. The session vars are disassociated when the browser
closes loses the temp cookie.
As part of the authentication process, do I need to somehow search through
all the other sets of session variables? How would I do that?
>From reading some of the threads on the list it seems that using session
variables isn't necessarily a good thing either. Need to do some
reading....
Thanks,
Kevin
Kevin Gilchrist
Senior Consultant
RedSiren Technologies Inc.
(412) 281 4427 ext 466
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
