In addition to the basic (and not so basic) functionality described thus far, the security framework features some more advanced options that may be used as needed. Setting the Time-outThe default login time-out is 30 minutes (1800 seconds). To change this value, pass a new time-out (in seconds) to the idletimeout attribute in the <cflogin> tag. Securing Parts of an ApplicationBy default, security is tied to the ColdFusion application. Any code in the same application (sharing the same application name) shares the same security system. This behavior can be changed by specifying a name to the <cflogin> applicationtoken attribute. Security will then be shared only by code using the same applicationtoken. A single application can have multiple applicationtoken values for different sections, allowing various sections to be secured in different ways. In addition, a number of applications can share security if needed. Restricting Clients Based on DomainThe <cflogin>-based security system will allow logins from any host as long as the user can be authenticated. To restrict access to specific hosts, specify the domain in the <cflogin> cookiedomain attribute. For example, the following allows logins only from hosts in the domain forta.com: <cflogin cookiedomain="forta.com"> NOTE cookiedomain can also be used to specify subdomains and even specific hosts if needed. Cookieless Security<cflogin> depends on HTTP cookies. If cookies cannot be used, logins may still occur, lasting only for the duration of the single request. This may be desirable if credentials are passed back on each request, or if you are building a single-request system (for example, a Web Service).
Web Services are covered in Chapter 32, "Web Services." If cookies are not being used, <cfloginuser> should be used without the <cflogin> tag. |