This month we have three questions to consider. I like them all because they're very practical and applicable to many kinds of applications.

I particularly like the third question about encryption methods because it gives me an opportunity to cover two undocumented ColdFusion functions. I hope you find my answers helpful. Keep those questions coming!

Q: My question has to do with forcing session variables to time out after a specified period of time - not a period of inactivity. I am writing an online testing application that should allow a user only 10 minutes to take a test. How can I force their sessions to expire after 10 minutes?
A: This is easily accomplished by setting a session variable, let's say "Session.-StartTime", equal to the current time using the Now() function (see Listing 1). Your exam pages need to test for the existence of this variable. If it does exist, check to see if the time set in that variable is more than 10 minutes old. Use the DateDiff() function to check the number of minutes between Session.StartTime and the current value of Now().If the value of DateDiff() is greater than 10 minutes, delete the session variable and redirect the user to another page. If the user tries to go back to the page without Session.StartTime having been created, redirect them to an error page.

Q: I am writing a domain name registration application and need an easy way for users to input multiple domain names to check against a whois search. I know I can build a separate form field for each domain name, but that gets pretty messy if they need to check more than five domains. I'd like them to just enter all the domains they want checked into a single form field, but I'm not sure how to parse out the individual domain names once the form is submitted. How do I do this?
A:This is a great question and somewhat piggybacks on one of the questions in last month's column. What you do is create a TextArea form field that allows users to input as many domain names as they want, each domain on a separate line in the text box. This concept works for any kind of data that needs to be submitted in bulk (e.g., e-mail addresses, product codes, keywords). The key to success is having each entry on a separate line. This is easy for users because they can copy data from a spreadsheet or text document and just paste the data into the form field. Once the form is submitted, you simply treat the data as a list delimited by a carriage return and a line feed. Your CF code needs to loop over the list using chr(13) and chr(10) - the ASCII codes for a carriage return and line feed, respectively - and then perform whatever code you need to execute for each iteration of the loop (in your case, check each domain name against a whois search). See Listing 2 for a simple example.

Q: I need to store sensitive information (social security numbers, passwords, etc.) in a database and don't know how to protect the data from being seen by the other developers working on the application. Any suggestions?
A:Wow, an entire issue of CFDJ could (and maybe should) be devoted to this one question! I won't go into any Web site or database security issues here, but I will address how to encrypt the data in the database using a few different methods. I can't believe how many applications I encounter that simply store this kind of data (even credit card numbers!) without using any kind of data encryption. These developers are taking huge security risks that aren't necessary, given how easy it is to employ basic encryption and decryption methods.

First, if the data, once set into the database, never needs to be displayed again to a user but simply used for comparison or validation (like a password or social security number), I'd use the Hash() function. This CF function provides a fairly strong encryption algorithm, but it's an encrypt-only function. There is no way to decrypt data stored using Hash(). This is useful for doing validation since you can compare two strings that have been encrypted to see if they match. Listing 3 gives an example of using Hash().

At a bare minimum you should use the Encrypt() and Decrypt() functions, although the encryption algorithm isn't very strong. It will at least disguise the actual value from the casual database viewer. If you do need to retrieve and display (decrypt) the data back to the user or for application use (like charging a recurring fee to a credit card), I prefer to use the undocumented Cfusion_Encrypt() and Cfusion_Decrypt() functions, as they provide stronger encryption. The syntax is the same for either pair of functions. You need to supply an arbitrary key/seed value for the encrypt/ decrypt processes. Be sure to use the same key/seed you used to encrypt when decrypting. Listing 4 gives an example.

Please send your questions about ColdFusion (CFML, CF Server, or CF Studio) to AskCFDJ@sys-con.com. And please visit our archive site at www. NetsiteDynamics.com/AskCFDJ.

• Source Code