Search code examples
web-servicessessioncoldfusioncoldfusion-10

saving coldfusion session for retest authentication?


I have a problem trying to create an authentication system for some methods of a webservice. I want to create a uuid (session token) and put in an xml like this and when I'm using other functions reuse this token for authentication.

I create a function like this:

<cffunction name="myfunction" access="remote" returntype="xml">
<cfargument name="user" type="string" required="true">
<cfargument name="pwdtype="string" required="true">

    //LOGIN HERE and test if myuser is ok
    <cfif local.myuser.recordcount is 1> 
       <cfxml variable="local.myresult"><cfoutput>
     <myxml>
        <response type="myresponse">
            <message>Autenticazione effettuata correttamente</message>
                    <dati>  
                       <idtoken>#session.urltoken#</idtoken>
               <iduser>#local.myuser.iduser# </iduser>
        </dati> 
        </response>
     </myxml>               
       </cfoutput></cfxml>
    </cfif>
</cffunction>

My question is: How can I take a session for retest authentication as in the following line?

if session.mytoken is session.realtoken

Solution

  • Yes, it is possible to do what you are asking but is that really necessary? If you build a token based authentication scheme then it will be up to you (your code) to maintain the aspects of that token. Creating the token. Passing the token. Checking the token. Is the token valid? Does the token expire? etc. In my opinion the token is not necessary.

    Instead, I would recommend treating your web services just like any other secured ColdFusion application. When a user visits (requests your web service) check for a valid session. You can easily leverage ColdFusion's onCFCRequest method of the Application.cfc file to check every request that is made of your web service(s). If no session exists, return a 401 response to ask them to authenticate. This will also allow you to leverage the built-in functionality of Java EE sessions.

    There are several examples of this setup on the internet:

    Of course, you can still use these methods to secure your services and create a token to pass back and forth if you need to. Just store the token in that user's session and check against it for each of their requests.