This content has been marked as final. Show 4 replies
"Is CFLogin the most powerful method for login? I've used query checks
in the past, is that adequate or is CFLogin much better?"
Neither, CFLogin is really just a specific purpose IF block. Code
within the opening and closing <cflogin...> tags is run when a user is
not logged in with the <cfloginuser...> tag. Inside this block one
still needs to validate the credentials provided by the user, often with
a query check.
The <cflogin...><cfloginuser...> combination provides an easy to
interpret and use mechanism to run conditional code and persist a user
login state from request to request. It is basically equivalent to ones
own <cfif...> logic combined with session data for the user state.
Under the hood it is using the same mechanisms.
I usually prefer to roll my own solution because I often want to store
more state data about a user then is allowed with the <cfloginuser...>
tag and the related getAuthUser() and isUserInRole() functions.
We've done something similar here - where we pass to a 3rd party, or act as a 3rd party. We use a mixture of SSL and encryption - either Blowfish or PGP (depending on the 3rd party).
PGP is more secure, and we purchased the CFX_PGP tag to do this. It was the only tag available and has worked well thus far. Although, if you are using CF8 there may be some .Net solutions you could now integrate (not speaking authoritatively there).
You'll need a copy of PGP desktop to create your public and private keys - you can give the private key to the 3rd client party , exachange the data, have them decrypt then do the same for the round trip.
Thanks for the replies guys, I'll take a look at these methods. We're still at 7 and no immediate plans to upgrade so we'll go with what we can.
I have another question that's somewhat related. We just went to a UNIX shared web server setup. The replication seems to be having problems and I'm having a hard time tracking down which server is the problem. What I'd like to do is put in code that displays in a comment (html) which server is being used at that time.
I looked through all of the CGI variables but I can't find one that tells me the server name or IP address. I swear this was an option used at a company I worked for long ago.
In application.cfm put in a variable with the unique name of the server, and report on that. This will make your code slightly different from server to server, so you could have application read a text file to populate the variable, and then just change the text in the file.
Just a thought.