Adobe 38043740 - ColdFusion Standard - Mac Development Manual page 349

DEVELOPING COLDFUSION 9 APPLICATIONS
Developing CFML Applications
ColdFusion authentication storage and persistence
How ColdFusion application authentication information is maintained by the browser and ColdFusion, and therefore
how long it is available, depends on the following:
• Whether the user's browser enables cookies
• Whether the application supports the Session scope for login storage
Note: For detailed information on Session scope, see
contains the cookies that arthe browser sends; for more information on using cookies, see cfcookie in the CFML Reference.
Authentication and cookies
Because HTTP is connectionless, a login can last beyond a single web page viewing only if the browser provides a
unique identifier that software on the server uses to confirm that the current user is authenticated. Normally, this is
done by using memory-only cookies that are automatically destroyed when the user closes all open browser windows.
The specific cookies and how they are used depend on whether the application supports the Session scope for login
storage.
Note: For information on user logins without cookies, see
Using the Session scope
If you do the following, ColdFusion maintains login information in the Session scope instead of the Cookie scope:
• Enable the Session scope in the ColdFusion Administrator and the Application.cfc initialization code or
tag.
cfapplication
• Specify
loginStorage="Session"
When ColdFusion maintains login information in the Session scope, it stores the authentication details in a
Session.cfauthorization variable, and ColdFusion uses the session cookie information to identify the user. Session-
based authentication has the following advantages over less persistent login storage:
• After the user logs in, the user ID and password are not passed between the server and the browser.
• The login information and the session share a single time-out. You do not have to manually synchronize sessions
and logins.
• If you use server clusters, the Session scope login ID is available across the cluster. For more information on server
clustering, see Configuring and Administering ColdFusion.
If you do not enable the Session scope, the authentication information is not kept in a persistent scope. Instead, the
detailed login information is placed in a memory-only cookie (CFAUTHORIZATION_applicationName) with a
base64-encoded string that contains the user name, password, and application name. The client sends this cookie to
the web server each time it makes a page request while the user is logged-in. Use SSL for all page transactions to protect
the user ID and password from unauthorized access.
Using ColdFusion security without cookies
Implement a limited-lifetime form of ColdFusion security if the user's browser does not support cookies. In this case
you do not use the
cflogin
outside a tag.
cflogin
Without browser cookies, the effect of the
authentication mechanism and call
"Configuring and using session
"Using ColdFusion security without
in the Application.cfc initialization code or
tag, only the tag. It is the only time you should use the
cfloginuser
cfloginuser
on each page on which you use ColdFusion login identification.
cfloginuser
Last updated 1/20/2012
variables" on page 311. Cookie scope
cfapplication
tag is limited to a single HTTP request. Provide your own
344
cookies" on page 344.
tag.
tag
cfloginuser