Justin Seems a bit complicated in that you seem to be effectively duplicating the built in functionality of client variables. I am not using session variables on this [shared] server because the *?xx! thing is constantly being restarted and you end up losing stuff.
>From what you seem to be saying though, my scheme might be OK. Justin Scott wrote: > > > I have this site which is pointed at by several URL's ie www.aaa.com, > > www.bbb.com Etc. > > > > I want to have users log in only once in any of the sites and then be > > able to freely switch between sites in a logged-in state. The > > application name is the same for all. > > Here's how I would do this... > > 1. I use a two-cookie system for maintaining state, a member_id and a > session_id. When someone logs into one of the sites, give them the > member_id cookies, generate a random session hash with CreateUUID(), put > that in the database, then set the session_id cookie with that value. > > 2. In your security code, check the cookies against the values in the > database (I set a cache on this query of 2-3 minutes). If no records are > returned, or if the last_action value (below) is too out of date (15-20 > mins) then they are NOT logged in and need to be directed to login page. If > they ARE logged in, update the last_action column. > > 3. In any links to your other sites, include the current session_id on the > URL with a special variable name. In the Application.cfm (or other global > file) check for this value. If present, check the database for a user with > that ID and a recent last_action value. If one is found, set the member_id > and session_id cookies just as if they had logged in directly to that site. > > * You would not have to worry about someone copying a URL and getting access > at a later date. The chances of someone having the exact same session hash > generated by CreateUUID() within your session timeout period is practically > non-existent. > > * You won't need to worry about CF's session/client management. If your > application scales to the point where it needs to run on clustered servers, > your authentication won't break. > > If you have any questions, feel free to mail me off-list. > > -Justin Scott, Lead Developer > Sceiron Internet Services, Inc. > http://www.sceiron.com > > ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists