Advanced Security Options

In addition to the basic (and not so basic) functionality described thus far, the security framework features some more advanced options that may be used as needed.

Setting the Time-out

The default login time-out is 30 minutes (1800 seconds). To change this value, pass a new time-out (in seconds) to the idletimeout attribute in the <cflogin> tag.

Securing Parts of an Application

By default, security is tied to the ColdFusion application. Any code in the same application (sharing the same application name) shares the same security system. This behavior can be changed by specifying a name to the <cflogin> applicationtoken attribute. Security will then be shared only by code using the same applicationtoken.

A single application can have multiple applicationtoken values for different sections, allowing various sections to be secured in different ways. In addition, a number of applications can share security if needed.

Restricting Clients Based on Domain

The <cflogin>-based security system will allow logins from any host as long as the user can be authenticated. To restrict access to specific hosts, specify the domain in the <cflogin> cookiedomain attribute. For example, the following allows logins only from hosts in the domain forta.com:

 <cflogin cookiedomain="forta.com"> 

NOTE

cookiedomain can also be used to specify subdomains and even specific hosts if needed.

Cookieless Security

<cflogin> depends on HTTP cookies. If cookies cannot be used, logins may still occur, lasting only for the duration of the single request. This may be desirable if credentials are passed back on each request, or if you are building a single-request system (for example, a Web Service).

Web Services are covered in Chapter 32, "Web Services."

If cookies are not being used, <cfloginuser> should be used without the <cflogin> tag.