Good Evening:

I am trying to implement session management on a website I am building with coldfusion. Currently, the site authenticates via IIS 7 using the "Requires Authentication" setting that requires users to log into the web server before any page is served. This, however, is not ideal. It appears that the session management does not work when users are automatically logged on by using the IIS 7 authentication.

Currently my CGI variables get set once IIS authenticates, then the user information is set based on the authenticated username. I am halted from ending a session because IIS is still authenticated on that open browser, and until the browser window is closed, the site is still active.

I was trying to make sense of LDAP, but that is new to me (Active Directory is something I have not used much of, but the people who I'm helping love it). I was not sure if I would be able to create a simple login form and then have that check against active directory, for the hopes of not making people memorize yet another password, and just let them use the same password they use on the network.

Any assistance would be greatly appreciated.

In your application.cfc or application.cfm file check for the existance of a client.username, if it doesn't exist redirect to a login form - like:

<cfif not isdefined("client.username")>
    <cflocation url="http://#cgi.server_name#/login/login.cfm"/>

In your login action page (in a seperate login folder with it's own application.cfm or application.cfc so it doesn't create an endless loop), test the user password by doing a ldap connection to your active directory server. Trap any errors as login failure.

        <cfset client.username = form.logonName	/>	
     <cfcatch type="any">
	     <cflocation url="login.cfm?msg=Your logon failed please try again"/>

That's the basic idea, you can limit retries, pull active directory info for the user and put it in client variables, etc to add others features.