Adobe 38043740 - ColdFusion Standard - Mac Development Manual page 351

DEVELOPING COLDFUSION 9 APPLICATIONS
Developing CFML Applications
ColdFusion uses the
applicationToken
value is the current application name, as specified by a
applicationToken
unitization code. In normal use, you need not specify an
Specifying the Internet domain
Use the attribute to specify the domain of the cookie used to mark a user as logged-in. You use
cookieDomain
if you have a clustered environment (for example, www.acme.com, www2.acme.com, and so on). This
cookieDomain
lets the cookie work for all computers in the cluster. For example, to ensure that the cookie works for all servers in the
acme.com domain, specify
cookieDomain=".acme.com".
Important: Before setting the cookie domain, consider the other applications or servers in the broader domain might have
access to the cookie. For example, a clustered payroll application at payroll1.acme.com, payroll2.acme.com, and so on,
might reveal sensitive information to the test computer at test.acme.com, if the cookie domain is broadly set to
" ".
.acme.com
Getting the user ID and password
The tag has a built-in cflogin structure that contains two variables, cflogin.username and cflogin.password,
cflogin
if the page is executing in response to any of the following:
• Submission of a login form that contains input fields with the names
• A request that uses HTTP Basic authentication and, therefore, includes an Authorization header with the user name
and password.
• A message from the Flash Remoting gatewayConnection object that has the
• A request that uses NTLM or Digest authentication. In this case, the user name and password are hashed using a
one-way algorithm before they are placed in the Authorization header; ColdFusion gets the user name from the web
server and sets the cflogin.password value to the empty string.
You use the first three techniques with application authentication, and the last technique with web server
authentication. The cflogin structure provides a consistent interface for determining the user's login ID and password,
independent of the technique that you use for displaying the login form.
Important: Login forms send the user name and password without encryption. Basic HTTP authentication sends the user
name and password in a base64-encoded string with each request; this format can easily be converted back to plain text.
Use these techniques only with https requests, or when you are not concerned about password security.
Provide login information to your application for authentication as follows:
Use a login form to get user information
When you build an application that gets the User ID and password using a login form, the
existence of a cflogin structure containing the user's login information. If the structure does not exist, it displays a login
form, typically using a
cfinclude
In the Application.cfc
onRequestStart
the following:
value to generate a unique identifier that enforces this rule. The default
applicationToken
To specify a domain name, start the name with a period.
tag on a login page; the following code shows this use.
method, or a ColdFusion page or CFC method called by the method, you have
Last updated 1/20/2012
tag or Application.cfc
cfapplication
value in the tag.
cflogin
and
j_username j_password
method set.
setCredentials
tag checks for the
cflogin
346
.