![]() ![]() ![]() |
||
|
The cflogin
tag executes only if there is no currently logged-in user. It has the following three optional arguments that control the characteristics of a ColdFusion login:
Attribute |
Use |
---|---|
idleTimeout |
If no page requests occur during the idleTimeout period, ColdFusion logs out the user. The default is 1800 seconds (30 minutes). This is ignored if login information is stored in the Session scope. |
applicationToken |
Limits the login validity to a specific application as specified by a ColdFusion pages |
cookieDomain |
Specifies the domain of the cookie used to mark a user as logged-in. You use cookieDomain if you have a clustered environment (for example, x.acme.com, x2.acme.com, and so on). This lets the cookie work for all the computers in the cluster. |
The login identification created by the cflogin
tag is valid only for pages within the directory that contains the page that uses the cflogin
tag and any of its subdirectories. Therefore, if a user requests a page in another directory tree, the current login credentials are not valid for accessing those pages. This security limitation lets you use the same user names and passwords for different sections of your application (for example, a UserFunctions tree and a SecurityFunctions tree) and enforce different roles to the users depending on the section.
ColdFusion uses the applicationToken
value to generate a unique identifier that enforces this rule. The default applicationToken
value is the current application name, as specified by a cfapplication
tag or Application.cfc unitization code. In normal use, you do not need to specify an applicationToken
value in the cflogin
tag.
Use the cookieDomain
attribute to specify the domain of the cookie used to mark a user as logged-in. You use cookieDomain
if you have a clustered environment (for example, www.acme.com, www2.acme.com, and so on). This lets the cookie work for all computers in the cluster. For example, to ensure that the cookie works for all servers in the acme.com domain, specify cookieDomain=".acme.com".
To specify a domain name, start the name with a period.
Caution: Before setting the cookie domain, consider the other applications or servers in the broader domain might have access to the cookie. For example, a clustered payroll application at payroll1.acme.com, payroll2.acme.com, and so on, might reveal sensitive information to the test computer at test.acme.com, if the cookie domain is broadly set to .acme.com.
|
||
![]() ![]() ![]() |