cflogin

Yes. Application.cfc is a complete replacement for Application.cfm and will override the Application.cfm if they are both included. That is why it is important to convert the CFM to a CFC

Ok. I don't know much about CFCs. If I put an Application.cfc in my directory will the CF server know to include it and use it as an auth file like Application.cfm? I'll check out the article from Ben.

This is a great post. I have been lazy with my authentication so I will definitely take your advice on this. Before I do though, is there a book or tutorial you used to setup your Application.cfm file? I will follow your code but want to prep appropriately first.

idesdema,

I would still recommend using cflogin/cflogout for this, but then also utilize the powerful features of session management. I have done something like this before and I did it as follows.

1. In your Application.cfc (You must use Application.cfc for this) initialize and Application struct variable in your onApplicationStart() method. Something like <cfset application.loggedInUsers = StructNew() />

2. Have the user login using CFLogin with a <cflogin> process in your application.cfc onRequestStart() method that process the login using whatever logic you choose.

3. During the login process set the user info to the Application variable you set earlier.

<cflock scope="Application" type="exclusive">
<cfset "application.loggedInUsers.#j_username#" = '#j_username#' />
<cfset session.username = j_username /> <!--- We set this session var cause we will need it later --->
</cflock>

Now you have an struct of all of the users who are logged into your site.

4. Create a function for when they click your logout button (Yes, i know they will not always hit it, we will get to that).

Create this function in some sort of a cfc that can be accessed from anywhere. I like to create a common.cfc for such functions and then
add it to the application scope in the Application.cfc onApplicationStart() method. Something like:

<cfset application.common=CreateObject("component","cfc.common").init(application.dsn) />

So somewhere where you can access it from any cfm file create a function. Like so:

<cffunction name="logoutUser" access="public" output="false">
<cfargument name="username" type="string" />

<cfset StructDelete('application.loggedInUsers', arguments.username,false) />
<cflogout />
</cffunction>

4.1 Create a logout page. It can be very simple. It can look like this:

<cfset application.commonCFC.logoutUser(arguments.SessionScope.username); />
<cflocation url="/index.cfm" />

5. Finally, to handle those lazy users who cannot be troubled to click the Logout button ;), create an onSessionEnd() method in your Application.cfc
that will execute your logUserOut() function

<cffunction name="onSessionEnd" access="public" output="false">
<!--- Session scope and Application scope must be passed into onSessionend to be used --->
<cfargument name = "SessionScope" required=true/>
<cfargument name = "AppScope" required=true/>

<!--- Run the logoutUser(0 function and pass in the username so it knows which struct key to remove --->
<cfset logoutUser(arguments.SessionScope.username); />
</cffunction>

** Disclaimer: I have not tested any of this code. I am planning to rewrite it as a blog entry later, so if you need further clarification, please add to this thread so I can explain further or make corrections