> I have been programming in CF for about a year now and am still confused
> about the whole CFID & CFTOKEN thing. Most of what I have done involves
> internal corporate reporting, so I already have a user database with
UserIDs
> that I use to recognize the user. Therefore I've had little need for CF
> generated IDs.
>
> I understand the basic concept CFID & CFTOKEN (please correct any flawed
> thinking):
No problem. :)
> 1. Assign a unique CFID & CFTOKEN pair to a new web user.
> 2. Either store them as cookies, a database or pass them from page to page
> via the URL string to identify the user.
Actually, CFID and CFTOKEN are stored on the server in RAM if you are using
just session management. If you are using client management, then they are
stored in the registry by default or in the database if you make provisions
for this.
On the client side, the CFID and CFTOKEN variables are stored as cookies
(either in RAM if they are set to expire when the browser closes) or on the
hard dive. If the client has cookies turned off and you have taken the time
to embed the CFID and CFTOKEN values in each of the hrefs, then that is
where they exist.
> Maybe I'm off base, but I see a number of potential problems/issues:
>
> 1. If you have a login in your app, your users will not use the CFID to
> login, but rather a UserName/UserID of some sort. If that is the case why
> duplicate the identifying info by maintaining both a UserName/UserID and a
> CFID?
Correct...sort of. Allaire has simplified your job as a developer by
creating a fairly robust mechanism by which ColdFusion can track and
identify users without placing sensitive information on the client's
computer such as usernames or even ID fields that correspond to their
records in the database.
> 2. I the user logs in from a different computer, s/he will be assigned a
new
> CFID & CFTOKEN, correct? How does that serve to identify the user?
Correct. Nothing will go from computer to computer. This is a limitation of
just about everything that involves the Web. :)
> Having a
> basic login with a chosen userid (one they can hopefully remember,
"smithj",
> rather than CFID=23451) seems to do the trick just fine.
The user never has to know what their CFID and CFTOKEN are. If you are
making the user log in with these, then you are approaching this problem
from the wrong angle. CFID and CFTOKEN are used by ColdFusion to identify
unique users and make use of persistent variables such as SESSION and CLIENT
scoped variables. These will not work without CFID and CFTOKEN.
One thing I like to do is set up a table with the following fields:
Accounts
=================
Account_ID
Account_Username
Account_Password
Account_AutoLogon
CFID
CFTOKEN
Then, when the user comes to the site, I check to see if their CFID and
CFTOKEN are in my table. If they are, and Account_AutoLogon is set to true,
then I just let them in (like a "Remember Me" feature. If Account_AutoLogon
is set to false, then I present them with a login form with the
Account_Username filled into the Username field. If they are not in the
database, then I present them with a form that lets them log in or create an
account. If they log in, I reset the CFID and CFTOKEN values stored in the
database to the fresh ones.
> I guess my main question is "if" you have to maintain a separate UserID
from
> CFID & CFTOKEN, why use them at all. If you don't need to maintain a
> separate UserID, How would you log a user into an application? with their
> CFID?
As mentioned above, they are required if you are using SESSION or CLIENT
variables. They also make the job of logging in and managing users
relatively easy without exposing sensitive information on the client
computer.
> Just a bit confused about how this fits together. Any clarification would
be
> great?
Oh...it's clarification your after. Well, I've probably just confused you
more. :)
Benjamin S. Rogers
Web Developer, c4.net
voice: (508) 240-0051
fax: (508) 240-0057
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
