I would just require that they have cookies on, and exclude putting cfid/cftoken in the url. I guess they could share the cfid/cftoken cookie, but you could do some ipaddress checking/monitoring to watch for people sharing cookies (not 100% accurate, of course). If too many different ip addresses (speaking of the first the octets - 234.100.130.xxx) are used for the same login in a set period of time, you could disable the account.
Other considerations include the data stored in the client variables. If the only information stored is their login status, then I think that there isn't a problem sharing client vars among apps. However, if there is other information stored, you should separate them. One day, you will be coding on application 'A' and you will mistakingly use the same variable name that application 'B' is using. That could get ugly. Dave ----- Original Message ----- From: "Richard Meredith-Hardy" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Sunday, April 14, 2002 11:37 PM Subject: client cookies - strategy question > I have this site which is pointed at by several URL's ie www.aaa.com, > www.bbb.com Etc. > > I want to have users log in only once in any of the sites and then be > able to freely switch between sites in a logged-in state. The > application name is the same for all. > > The client can have access to the same client vars on the server if the > CFID & CFTOKEN in any URL's or forms which switch between sites (ie is > setting cookies pointing to the same CFID & CFTOKEN for each site) > > Is this a really bad idea? > > I can think of one serious inherent risk: copying url's with CFID & > CFTOKEN in them and sending them to friends. > > This can be alleviated with client vars like aaaVisitedOnce = > true/false, bbbVisitedOnce = true/false etc with the default false, but > once true (ie after first ever visit) the cookie is set for that site so > the CFID & CFTOKEN no longer needs to be passed in URL's (or forms) so > the risk is reduced to only when the user has never visited the other > site. > > or perhaps a more solid approach would be if any of my > client.xxxVisitedOnce vars were false then I could include a hidden > frame in the page calling a very small page from that site with the CFID > & CFTOKEN so cookies get set on all "false" sites invisibly. > > It's the principle of sharing one CFID & CFTOKEN between many sites > which I am wondering about though.... > > > -- > Regards; > > Richard Meredith-Hardy > ------------------------------------------------------------- > [EMAIL PROTECTED] > Mob: + 44 7771 526513 > ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
