Adobe ColdFusion 8

Using the cflogin tag

The cflogin tag executes only if there is no currently logged-in user. It has the following three optional arguments that control the characteristics of a ColdFusion login:

Attribute

Use

idleTimeout

If no page requests occur during the idleTimeout period, ColdFusion logs out the user. The default is 1800 seconds (30 minutes). This is ignored if login information is stored in the Session scope.

applicationToken

Limits the login validity to a specific application as specified by a ColdFusion page's cfapplication tag. The default value is the current application name.

cookieDomain

Specifies the domain of the cookie used to mark a user as logged-in. You use cookieDomain if you have a clustered environment (for example, x.acme.com, x2.acme.com, and so on). This lets the cookie work for all the computers in the cluster.

Login identification scope and the applicationToken attribute

The login identification created by the cflogin tag is valid only for pages within the directory that contains the page that uses the cflogin tag and any of its subdirectories. Therefore, if a user requests a page in another directory tree, the current login credentials are not valid for accessing those pages. This security limitation lets you use the same user names and passwords for different sections of your application (for example, a UserFunctions tree and a SecurityFunctions tree) and enforce different roles to the users depending on the section.

ColdFusion uses the applicationToken value to generate a unique identifier that enforces this rule. The default applicationToken value is the current application name, as specified by a cfapplication tag or Application.cfc unitization code. In normal use, you do not need to specify an applicationToken value in the cflogin tag.

Specifying the Internet domain

Use the cookieDomain attribute to specify the domain of the cookie used to mark a user as logged-in. You use cookieDomain if you have a clustered environment (for example, www.acme.com, www2.acme.com, and so on). This lets the cookie work for all computers in the cluster. For example, to ensure that the cookie works for all servers in the acme.com domain, specify cookieDomain=".acme.com". To specify a domain name, start the name with a period.

Important: Before setting the cookie domain, consider the other applications or servers in the broader domain might have access to the cookie. For example, a clustered payroll application at payroll1.acme.com, payroll2.acme.com, and so on, might reveal sensitive information to the test computer at test.acme.com, if the cookie domain is broadly set to .acme.com.