ColdFusion MX 7 Login Security (Page 13 of 13)


Now that we've covered everything in our "ground rules," make sure you take the time to play with the sample application so you can fully understand how it works. Test the login and logout code using a single browser. Try to load the secondaryPage.cfm template before you've logged in. Once you are logged in, you should be redirected to the secondary page. Open two different browsers (for instance Safari and Firefox) and log in on both browsers. Refresh the index.cfm page to see the session tracking/counting code at work. Log in under both browsers again but this time, manually log out of one. On the other browser, refresh the index.cfm page and check the session tracking code. And finally, log in under both browsers and let one session time out on its own. Keep refreshing your second browser until you see the first drop-off the session tracking list. Now that you've performed all these tasks, let's review what you've learned.

1. Using the Application Framework of the ColdFusion MX 7 you can create a robust and secure user login that protects your application from unauthorized use.

2. It is best to encrypt your sensitive data in a database instead of storing it in plain text. ColdFusion MX 7 has a built in function called Hash() that provides a quick and easy method for securing data as encrypted strings ranging in size from 32 characters to 512 characters.

3. Fully utilizing the Application Framework and shared scopes, it is relatively easy to add full application-wide session tracking/counting (how many users logged in etc.) to your applications.

4. Using Session variables and the Application Framework, it is easy to support "smart redirects" that can be applied when users log in to your applications.

5. Not only is it important to provide a method for timing-out your user sessions, it is also necessary to provide the user with a means of manually logging out. Using the Application Framework and custom session killing code, your applications can support accurate session tracking/counting and user logouts.