Coldfusion Pass Session Variables from 1 Application to another

Posted on 2009-02-24
Last Modified: 2012-05-06
Hi, I have two entire different stated/defined applications.  One application has a login system.  I'd like to pass the login variables (session.login , session.userid) from the application that establishes them to the application that doesn't have them.  How do I go about something like this?

Thanks for any help.
Question by:wkolasa
    LVL 19

    Expert Comment

    the session variables once established can be called by its name

    Author Comment

    When I'm in, let's call the applicationA and applicationB...  when I switch to applicationB (sep. application.cfm file establishing its own session management, etc...), applicationA's session variables aren't accessible when calling them by name.  Can I call them like this:  applicationA.session.userid  ??
    LVL 15

    Assisted Solution

    I do something similar i think that you need to do by passing the session over 2 domains. On the link that leaves domain one I leave the tokens in the URL, Then in domain two I reassign them. For example:
    //Domain 1 has
    <a href="">Link>
    //On domain 2 i catch the URL and reassign the vars
    <cfif isdefined("URL.CFID") AND URL.CFID NEQ "">
    	<cfcookie name="CFID" value="#URL.CFID#">
    	<cfcookie name="CFTOKEN" value="#URL.CFTOKEN#">
    //Please note though that this will only work if both domaisn or apps are on the same server.

    Open in new window

    LVL 39

    Expert Comment

    If you only need a couple session variables, such as login (user_id), you can place them in a browser cookie to be grabbed by the other application.  

    If you need a lot of session information, then rather than impersonating the other session, just use the same application name in your cfapplication tag.  Then both apps will share the same sessions.

    Author Comment

    Both app's use different login systems (I have no idea why, I'm new to this company.  I can tell you that no system at this company makes any sense whatsoever... too many 'contractors' over too many years).  So, b/c they both use their own session.whatevers for logins and other things, I'm stuck having to devise a secure way of passing around loginIDs & userNames.  
    LVL 39

    Expert Comment

    So, it sounds like you don't want to share their sessions, only their logins.  I would use the browser cookie approach.

    <cfcookie name="SysA_User_ID" value="123">

    With no expiration date, the cookie will not be written to disk and will disappear when the browser is closed.

    You can also add a hashed value to ensure someone is not trying to hack into the other system by adding their own cookie with user_id

    Author Comment

    I know very little about adding hashed values... do you have an example?
    LVL 39

    Accepted Solution

    Sure, it's easy.   A hash is a one-way encryption.  

    The coldfusion function hash() does it.   So if you hash(123) you may get XLKJDFLKDJFLKJ91820
    So you store both values in a cookie.   Then after your read the 123, you check the hash to see if they match, you do this by simply rehasing the 123 and seeing if it matches the cookie hash.

    Set the user_id and the hashed user_id to the cookies...
     <cfset user_ID = 123>
     <cfcookie name="theID" value="#user_id#">
     <cfcookie name="theCode" value="#hash(user_id)#">

    Now read them...
     <cfset user_id = cookie.user_id>
     <cfif  cookie.theCode is NOT hash(user_id)>
         ALERT USER_ID has changed! <cfabort>

    But to do a really good job of this, you need to add a little "salt"  (yes it's really called that)
    That means you take a secret word and combine it with your user_id when you hash it.  That makes it impossible for someone to fake the user_id AND fake the hash!

    In your application.cfm file you can setup a global variable to hold your secret password
    <cfset application.salt = "ASecr3t!@W0rD#$$">

    Then add it to the hash...
    <cfcookie name="theCode" value="#hash(user_id & application.salt)#">

    Of course when checking, you must include it there as well...
     <cfif  cookie.theCode is NOT hash(user_id & application.salt)>


    Author Closing Comment

    Thank you!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Hi. There are several upload tutorials using jquery and coldfusion. I found a very interesting one here Upload Your Files using Jquery & ColdFusion and Preview them ( . I did keep the main js functions but made sever…
    I spent nearly three days trying to figure out how incorporate OAuth in Coldfusion for the Eventful API. Hopefully, this article will allow Coldfusion Programmers to buzz through the API when they need to. Basically, what this script does is authori…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now