> I have this site which is pointed at by several URL's ie www.aaa.com, > www.bbb.com Etc. > > I want to have users log in only once in any of the sites and then be > able to freely switch between sites in a logged-in state. The > application name is the same for all.
Here's how I would do this... 1. I use a two-cookie system for maintaining state, a member_id and a session_id. When someone logs into one of the sites, give them the member_id cookies, generate a random session hash with CreateUUID(), put that in the database, then set the session_id cookie with that value. 2. In your security code, check the cookies against the values in the database (I set a cache on this query of 2-3 minutes). If no records are returned, or if the last_action value (below) is too out of date (15-20 mins) then they are NOT logged in and need to be directed to login page. If they ARE logged in, update the last_action column. 3. In any links to your other sites, include the current session_id on the URL with a special variable name. In the Application.cfm (or other global file) check for this value. If present, check the database for a user with that ID and a recent last_action value. If one is found, set the member_id and session_id cookies just as if they had logged in directly to that site. * You would not have to worry about someone copying a URL and getting access at a later date. The chances of someone having the exact same session hash generated by CreateUUID() within your session timeout period is practically non-existent. * You won't need to worry about CF's session/client management. If your application scales to the point where it needs to run on clustered servers, your authentication won't break. If you have any questions, feel free to mail me off-list. -Justin Scott, Lead Developer Sceiron Internet Services, Inc. http://www.sceiron.com ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists