January 11th, 2013, 03:46 AM
User loses session when logging into another form automatically through cfhttp
I currently use the CFHTTP object from Ben Nadel.
This is the thing:
A user logs into our application. Then it chooses for an external application. Username and password of that external are known, so through a CFHTTP request the user automatically logs into the external application. Result is losing the session of our application.
When the user then again logs into our application, then there is no more trouble and it can log into other external applications without losing our session. It is only the first time a user logs into an external application, our own session is lost.
I've stripped down google to find a solution, but without one found I now hope of someone on devshed knowing the answer. Thanks for any help!
<cfif IsDefined('webapplicationID') AND IsDefined('URL.userid')>
<cfif session.user.role EQ 'Administrator' OR permissions.checkSimpleAccess(userUUID,webapplication.getValue('webapplicationNumber'))>
<cfset url1 = webapplication.getValue('url') />
<cfif Find('?',url1) GT 0>
<cfset cookieextention = '&' />
<cfset cookieextention = '?' />
<cfset url1 = url1 & cookieextention & 'CFID=' & cookie['cfid'] & '&CFTOKEN=' & cookie['cftoken'] />
<cfset response = cfhttpRequest.NewRequest(url1) />
<cfset response.addFormField(fieldValues.name, fieldValues.fieldvalue) />
<cfset result = response.post() />
<cfif result.responseheader.status_code EQ '404'>
<h1>Error</h1><p>404: application not found</p>
<cfelseif result.responseheader.status_code EQ '500'>
<h1>Error</h1><p>500: server error</p>
<cfset redirectLocation = webapplication.getValue('redirectTo') & '&' & Replace(result.responseheader["Set-Cookie"],";path=/","") & '&' & Replace(result.responseheader["Set-Cookie"],";path=/","") />
<cflocation url="#redirectLocation#" addtoken="false" />
<cflocation url="/icca/icca_sparxdir/securitymanager/index.cfm?status=security" addtoken="false" />
No webapplication or user known...
January 11th, 2013, 05:53 AM
Seems it is server dependent. We have a testserver, and a live server. It is only happening on the live server with the same code. Guess it should be found in the Coldfusion Administrator.
January 11th, 2013, 09:14 AM
If the CF administrator settings for session variables are the same on the different servers, the only way that should happen is if both applications use the same application name. Sessions are based on application name. I would check the application names set in the cfapplication tag or Application.cfc in both apps.
January 11th, 2013, 10:01 AM
Thanks for the help,
I took your advise and checked the applicationname. What I did is <cfdump> the whole application when a user has logged in. I did that in both applications. Both applicationnames are different after login.
Furthermore, the testserver is sort of an exact copy with the difference there are some new developments on the test. But in the application.cfm (they do not use an application.cfc) we almost never apply any changes. So I'm still wondering why it does work on the testserver and not on the live.
I checked the settings in CFIDE-admin but did not see any major differences. They are the same when it comes to "Memory Variables". There is a slight change in "Client Variables", but we are not talking about "Client Variables". And if I'm mistaken, then the only difference is the names you can see there.
What else can it be?
January 11th, 2013, 10:34 AM
What we see is this:
When we login and check the cookie-info in Firefox Toolbar we see a number (CFID!). When we login into the external app the cookie-info number is changed.
On the testserver this cookie-info stays the same after the login. That is why it works. But how come the cookie-info changes on the live and not on the test? Is it something in IIS maybe?
January 11th, 2013, 01:26 PM
On test vs. production, are the domain for the two applications the different? e.g. app1.mysite.com vs app2.mysite.com? If they're different in production, that may be it. By default cookies are stored by domain, and each cookie name has to be unique. If that's the problem, you can take a look here: http://www.coldfusionmuse.com/index....and.subdomains
Last edited by kiteless; January 11th, 2013 at 01:29 PM.
January 14th, 2013, 08:32 AM
That seemed to work! Still weird, because it does not have to be used on the testserver. We use test.domain.com and data.domain.com. So I am guessing there's still something different somewhere in the settings on the server. In IIS or maybe in the Coldfusion administrator, although the latter does not seem to be so.
But we're already glad the little tweak in the application-code works, so thank you for your help.