RE: [KCFusion] Implementing an Enterprise Single Login

[Dunwiddie, Bruce]

we also came up with another solution that is somewhat complex to code, but the end result is pretty fair. have the authorization/main server send it's sessionid for this particular client to the other server in the first request, which could even be done with a post method. then, have the other server store that sessionid in a session and upon every request for a page on that server, have it do an http post back to the authorization server with the sessionid to make sure that session is still authenticated on the main server. I currently don't see any particular security holes or drawbacks to this solution other than the design. -----Original Message----- From: LaPlante, Bryan [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 10:38 AM To: '[EMAIL PROTECTED]' Subject: RE: [KCFusion] Implementing an Enterprise Single Login I didn't realize this solution was across different domains,boxes. The server scope will not span multiple boxes. Here is a link to another storage method that stores more complex data and allows more drive space on the client. I have a code example of how to use an xml store. The down side is that it is IE4.x on a PC specific. I have not played with across domains but I think it is possible to do what you have to do with it.   http://msdn.microsoft.com/library/default.asp?url=/workshop/author/behaviors/reference/behaviors/userdata.asp   This url may wrap.   Bryan -----Original Message----- From: Safley, Nicole [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 17, 2002 4:56 PM To: [EMAIL PROTECTED] Subject: RE: [KCFusion] Implementing an Enterprise Single Login Yes.  The site will be secure, and will span multiple domains.  -----Original Message----- From: Robert [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 17, 2002 4:53 PM To: [EMAIL PROTECTED] Subject: Re: [KCFusion] Implementing an Enterprise Single Login Nicole,   Are you worried that the cookie with be unreadable because the site will be 'secure' with a certificate?  Because, if you're using session variables and <cfapplication> it isnt affected by having a SSL certificate.  Is that your concern?   Thanks, Robert   ----- Original Message ----- From: Safley, Nicole To: Cold Fusion Listserv (E-mail) Sent: Wednesday, April 17, 2002 4:32 PM Subject: [KCFusion] Implementing an Enterprise Single Login We are attempting to implement a solution that will allow a user to enter our web "portal", log-on, and ,based on that log-on (verified in the LDAP directory), utilize any one of many secure applications.  On the front side of things, we plan to set a cookie that will stay with the user throughout the session.  My question is then how, as one of those many secure sites, can I decipher the cookie and read the authentication information to determine that the user is in fact valid.  Any ideas?  We've thrown around the idea of using a Java Servlet to do the decode, and then set the ColdFusion session variables accordingly.  This is new territory for me, so any help that could be provided would be greatly appreciated. Nicole L. Safley Database Programmer/Analyst Administrative Systems Project University of Missouri-Columbia [EMAIL PROTECTED] (573) 882-6284