I have a problem trying to create an authentication system for some methods of a webservice. I want to create a uuid (session token) and put in an xml like this and when I'm using other functions reuse this token for authentication.
I create a function like this:
<cffunction name="myfunction" access="remote" returntype="xml">
<cfargument name="user" type="string" required="true">
<cfargument name="pwdtype="string" required="true">
//LOGIN HERE and test if myuser is ok
<cfif local.myuser.recordcount is 1>
<cfxml variable="local.myresult"><cfoutput>
<myxml>
<response type="myresponse">
<message>Autenticazione effettuata correttamente</message>
<dati>
<idtoken>#session.urltoken#</idtoken>
<iduser>#local.myuser.iduser# </iduser>
</dati>
</response>
</myxml>
</cfoutput></cfxml>
</cfif>
</cffunction>
My question is: How can I take a session for retest authentication as in the following line?
if session.mytoken is session.realtoken
Yes, it is possible to do what you are asking but is that really necessary? If you build a token based authentication scheme then it will be up to you (your code) to maintain the aspects of that token. Creating the token. Passing the token. Checking the token. Is the token valid? Does the token expire? etc. In my opinion the token is not necessary.
Instead, I would recommend treating your web services just like any other secured ColdFusion application. When a user visits (requests your web service) check for a valid session. You can easily leverage ColdFusion's onCFCRequest
method of the Application.cfc file to check every request that is made of your web service(s). If no session exists, return a 401 response to ask them to authenticate. This will also allow you to leverage the built-in functionality of Java EE sessions.
There are several examples of this setup on the internet:
For example, search Google for ColdFusion authenticating web services
There was a recent discussion about this here on StackOverflow
It is mentioned in the Adobe documentation - Securing your web services
Another StackOverflow reference Develop Coldfusion Web Service
Of course Ben Nadel has an article on the subject
Of course, you can still use these methods to secure your services and create a token to pass back and forth if you need to. Just store the token in that user's session and check against it for each of their requests.