Reputation: 162
Using coldfusion session id for SSO authentication
I am integrating a 3rd party application. It will be embedded into my site via an iframe. When instantiating the iframe, a username and unique id(sessionid) is sent to the third party app in this format:
http://www.thirdpartyapp.com?username=9999999&uuid=appname_11111_d3d379ab97c23930-154C9639-1CC4-6169-286F5EB34A37B3C3
Once the user on the site tries to use any of the functions inside the Iframe, the 3rd party app sends back the sessionid to the server, to validate if the session is logged in.
If a user is logged in, the application sets a session variable such as Session.Auth.Authenticated to true.
I am able to achieve this by using CFID and CFTOKEN like so:
http://www.mysite.com/checkauth/index.cfm?CFID=2223344&CFTOKEN=40487e5933d11e75-F94396AF-1CC4-6169-28200888416FFC
The third party app sends requests in the format:
http://www.mysite.com/checkauth/index.cfm?uuid=appname_11111_d3d379ab97c23930-154C9639-1CC4-6169-286F5EB34A37B3C3
Basically the same format as my site makes the request. Is there any way to check authenticated sessions using the session.sessionid?
Upvotes: 2
Views: 519
Answers (1)
Reputation: 178
"Is there any way to check authenticated sessions using the Session.sessionid?"
Seems like it is possible. The ColdFusion sessionid is consists of three things:
appName_CFIDE_CFTOKEN
In your case the format of the url parameter of the request send by third party application is same as session.sessionId:
appname_11111_d3d379ab97c23930-154C9639-1CC4-6169-286F5EB34A37B3C3
Now if you enable "Use UUID for cftoken" in CF Admin under "settings" section you will get session id like the following:
PLANTOMATIC_11201_1f8a073a0ba85bf5-2F7356F3-BE59-A0B4-F3E493BD794062C6
So what you need to do is apply the setting "Use UUID for cftoken" in CF Admin. Then you can send request to the third party like following:
http://www.thirdpartyapp.com?username=9999999&uuid=#session.sessionid#
Which will respond back with parameter "uuid". After that you can check for equality and take the necessary steps.
Upvotes: 1
Related Questions
- Coldfusion Session Fixation
- SSO Implementation ColdFusion
- ColdFusion: CFID and CFToken change on each page request
- Creating a Persistant Login System using ColdFusion
- coldfusion sessionid not being created
- Starting a Session and assigning a unique session ID in Coldfusion
- What unique information generates a ColdFusion session ID?
- Using Coldfusion sessions without cookies
- Coldfusion load session from Id
- How do I implement a single sign-on for different ColdFusion applications running on the same server?