Sunday, 15 August 2010

session - Coldfusion 10 : jessionid not working when passed in url -


We are migrating to ColdFusion 8 to 10. Cold Fusion Only

Current architecture in ColdFusion 8 for .NET and CF integration:
  1. The session is set when the user enters the app (cf). (We are using J2EE sessions.)
  2. When a user is one. Clicks on the net link, the following steps have been taken to check the net code session inside the .net page via Jsessionid, CFID and CFTOKEN url:

    2a Make a normal work call that will do a ColdFusion file request (chkSession.cfm) with the URL in jsessionid .

    2b ChkSession.cfm will return the session. UID will return 1 if available, I session. UID will be available if the jsessionid is valid in the URL.

    2 c If a valid UID has been returned then the .NET page will be loaded. If -1 is returned then the user will be redirected to the login page.

    Continued in CF10:

    In CF10, we always receive -1 I have read that the portion of the security increase in CF10 In the form, we will not be able to recreate the Cold Fusion session that passes through cfide , cftoken , jsessionid . In the URL

    I would like to get advice that what is the best way to work with our .NET functionalties in Cold Fusion 10. Is there a better way to stop NetViewion sessions from the Net? One option that I can think of is using the database. I am waiting for a solution that can be implemented quickly and is strong.

    Do I think that JSESSID will serve as its cookie value in its request . Net client code has to be changed. In this way you have the functionality to work again.

    It is worth noting that by exposing session IDs in the URL you may have to face some security vulnerabilities, so there may be something you want to see in future.

    I have also used the database approach you mentioned. If you go this route, using a GUID as an identifier in the CF code and creating a timestamp for recording. Has been recorded. On the .NET side, look at the GUID and only accept the timestamp in less time than X seconds, so you do not create a token that will authenticate you for a long time. X should need maximum time, you think it will take the customer from the CF to redirect the redirect to the net pages, so 2 possibilities are quite large. You want to remove the used token and want to do a scheduled job to remove the 'unused' token.

No comments:

Post a Comment