Re: Webservice Session Authentication
1) an idea: they send their credentials to you ws if okay, you generate a really long (say, 256 characters) random string you update their user record, and put that string into a field e.g. authkey you send that string back to them they then send that string to the report for auth, which checks the db for that string 2) SSL is probably way, way better! Greg Luce wrote: OK, this has kicked my butt for 2 days now. I have a CF application (SSL) with a certain report a client wants to serve up inside their C#.NET app frameset. They have credentials they can provide. I've been trying to use a webservice to authenticate these credentials (username/pw) and if good create a bunch of session variables as if they were logging in manually. I was hoping to then return a CFID and CFToken or jsessionid to the consumer and they could use that in their frameset call of the report and they would join that session. Currently I can create the session via the ws and send back the structcount() of the session. But there don't seem to be cfid and cftokens defined nor jsessionid. So, is what I'm attempting impossible, possible using some other technique, or just stoopid? Maybe I'm making this too hard. Is there any problem just having the users pass their credentials (encrypted with today's julian date as key) to the report via the url over SSL? Thanks for any ideas to help me beat this thing. I know the first step is to admit I have a problem and that I'm powerless over it! ;-) Greg ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:253626 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Webservice Session Authentication
OK, are you saying just sending their credentials via url over SSL is best? On 9/20/06, Jim [EMAIL PROTECTED] wrote: 1) an idea: they send their credentials to you ws if okay, you generate a really long (say, 256 characters) random string you update their user record, and put that string into a field e.g. authkey you send that string back to them they then send that string to the report for auth, which checks the db for that string 2) SSL is probably way, way better! Greg Luce wrote: OK, this has kicked my butt for 2 days now. I have a CF application (SSL) with a certain report a client wants to serve up inside their C#.NET app frameset. They have credentials they can provide. I've been trying to use a webservice to authenticate these credentials (username/pw) and if good create a bunch of session variables as if they were logging in manually. I was hoping to then return a CFID and CFToken or jsessionid to the consumer and they could use that in their frameset call of the report and they would join that session. Currently I can create the session via the ws and send back the structcount() of the session. But there don't seem to be cfid and cftokens defined nor jsessionid. So, is what I'm attempting impossible, possible using some other technique, or just stoopid? Maybe I'm making this too hard. Is there any problem just having the users pass their credentials (encrypted with today's julian date as key) to the report via the url over SSL? Thanks for any ideas to help me beat this thing. I know the first step is to admit I have a problem and that I'm powerless over it! ;-) Greg ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:253633 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Webservice Session Authentication
Maybe I'm way off base trying to authenticate the user and start the session via webservice. If the SSL is enough with an encrypted url var that would make my life alot easier! I'm open to any ideas! Greg On 9/20/06, Greg Luce [EMAIL PROTECTED] wrote: OK, are you saying just sending their credentials via url over SSL is best? On 9/20/06, Jim [EMAIL PROTECTED] wrote: 1) an idea: they send their credentials to you ws if okay, you generate a really long (say, 256 characters) random string you update their user record, and put that string into a field e.g. authkey you send that string back to them they then send that string to the report for auth, which checks the db for that string 2) SSL is probably way, way better! Greg Luce wrote: OK, this has kicked my butt for 2 days now. I have a CF application (SSL) with a certain report a client wants to serve up inside their C#.NET app frameset. They have credentials they can provide. I've been trying to use a webservice to authenticate these credentials (username/pw) and if good create a bunch of session variables as if they were logging in manually. I was hoping to then return a CFID and CFToken or jsessionid to the consumer and they could use that in their frameset call of the report and they would join that session. Currently I can create the session via the ws and send back the structcount() of the session. But there don't seem to be cfid and cftokens defined nor jsessionid. So, is what I'm attempting impossible, possible using some other technique, or just stoopid? Maybe I'm making this too hard. Is there any problem just having the users pass their credentials (encrypted with today's julian date as key) to the report via the url over SSL? Thanks for any ideas to help me beat this thing. I know the first step is to admit I have a problem and that I'm powerless over it! ;-) Greg ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:253646 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Webservice Session Authentication
On 9/20/06, Greg Luce [EMAIL PROTECTED] wrote: Maybe I'm way off base trying to authenticate the user and start the session via webservice. If the SSL is enough with an encrypted url var that would make my life alot easier! That's pretty much how it all works anyways, right folks? Maybe key/salt off of IP address and date or some such? Guess it's sorta context dependent, as to what will be enough. :-/ ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:253684 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
