• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 560
  • Last Modified:

Coldfusion Pass Session Variables from 1 Application to another

Hi, I have two entire different stated/defined applications.  One application has a login system.  I'd like to pass the login variables (session.login , session.userid) from the application that establishes them to the application that doesn't have them.  How do I go about something like this?

Thanks for any help.
0
wkolasa
Asked:
wkolasa
2 Solutions
 
erikTsomikSystem Architect, CF programmer Commented:
the session variables once established can be called by its name
0
 
wkolasaAuthor Commented:
When I'm in, let's call the applicationA and applicationB...  when I switch to applicationB (sep. application.cfm file establishing its own session management, etc...), applicationA's session variables aren't accessible when calling them by name.  Can I call them like this:  applicationA.session.userid  ??
0
 
Tomarse111Commented:
I do something similar i think that you need to do by passing the session over 2 domains. On the link that leaves domain one I leave the tokens in the URL, Then in domain two I reassign them. For example:
//Domain 1 has
 
<a href="http://domain2.com?CFID=#CFID#&CFTOKEN=#CFTOKEN#">Link>
 
//On domain 2 i catch the URL and reassign the vars
<cfif isdefined("URL.CFID") AND URL.CFID NEQ "">
	<cfcookie name="CFID" value="#URL.CFID#">
	<cfcookie name="CFTOKEN" value="#URL.CFTOKEN#">
</cfif>
 
//Please note though that this will only work if both domaisn or apps are on the same server.

Open in new window

0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
gdemariaCommented:
If you only need a couple session variables, such as login (user_id), you can place them in a browser cookie to be grabbed by the other application.  

If you need a lot of session information, then rather than impersonating the other session, just use the same application name in your cfapplication tag.  Then both apps will share the same sessions.
0
 
wkolasaAuthor Commented:
Both app's use different login systems (I have no idea why, I'm new to this company.  I can tell you that no system at this company makes any sense whatsoever... too many 'contractors' over too many years).  So, b/c they both use their own session.whatevers for logins and other things, I'm stuck having to devise a secure way of passing around loginIDs & userNames.  
0
 
gdemariaCommented:
So, it sounds like you don't want to share their sessions, only their logins.  I would use the browser cookie approach.

<cfcookie name="SysA_User_ID" value="123">

With no expiration date, the cookie will not be written to disk and will disappear when the browser is closed.

You can also add a hashed value to ensure someone is not trying to hack into the other system by adding their own cookie with user_id
0
 
wkolasaAuthor Commented:
I know very little about adding hashed values... do you have an example?
0
 
gdemariaCommented:
Sure, it's easy.   A hash is a one-way encryption.  

The coldfusion function hash() does it.   So if you hash(123) you may get XLKJDFLKDJFLKJ91820
So you store both values in a cookie.   Then after your read the 123, you check the hash to see if they match, you do this by simply rehasing the 123 and seeing if it matches the cookie hash.

Set the user_id and the hashed user_id to the cookies...
 <cfset user_ID = 123>
 <cfcookie name="theID" value="#user_id#">
 <cfcookie name="theCode" value="#hash(user_id)#">

Now read them...
 <cfset user_id = cookie.user_id>
 <cfif  cookie.theCode is NOT hash(user_id)>
     ALERT USER_ID has changed! <cfabort>
 </cfif>


But to do a really good job of this, you need to add a little "salt"  (yes it's really called that)
That means you take a secret word and combine it with your user_id when you hash it.  That makes it impossible for someone to fake the user_id AND fake the hash!

In your application.cfm file you can setup a global variable to hold your secret password
<cfset application.salt = "ASecr3t!@W0rD#$$">

Then add it to the hash...
<cfcookie name="theCode" value="#hash(user_id & application.salt)#">

Of course when checking, you must include it there as well...
 <cfif  cookie.theCode is NOT hash(user_id & application.salt)>



0
 
wkolasaAuthor Commented:
Thank you!
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now