Re: [KCFusion] Implementing an Enterprise Single Login
We are using LDAP at work to perform similar user validation, I would recomend using Client Variables instead of cookies.I don't see why you would want to use java servlets for this process, heres sample code: 1) In your index.cfm file include this or similar code: cfif NOT Isdefined(client.validated) OR 0 CFINCLUDE template=Security.cfm /cfif 2) In security.cfm Include this or similar code: cfif Isdefined(client.validated) cfif client.validated EQ success cfelse cflocation url=login.cfm /cfif cfelse cflocation url=login.cfm /cfif cflocation url=index.cfm 3) In login.cfm include this or similar Code: HTML HEAD TITLEContent Administrator/TITLE /HEAD BODY cfif IsDefined(url.success) is true Please enter the correct login.br Check Your Username and Password.br /cfif cfif IsDefined(client.validated) CFSET Temp = DeleteClientVariable(validated) CFSET Temp = DeleteClientVariable(name) CFSET Temp = DeleteClientVariable(alias) CFSET Temp = DeleteClientVariable(email) cfset client.alias=0 strongLogout Successful/strongbr /center /cfif FORM action=ldapauth.cfm Method=post table border=0 tr td align=center table width=100% cellpadding=4 cellspacing=0 border=0 tr td valign=topDiv id=normalbLDAP Alias :/B/td td valign=top input type=text Name=alias size=28/td/tr tr tdDiv id=normalbPassword : /B/td tdINPUT type=password name=password size=28/td /tr /table br INPUT type=submit name=cmdSubmit value=Log In /FORM /td /tr /table /body /html 4) In ldapauth.cfm, use this or similar code: cfif FORM.password is cflocation url=login.cfm?success=false /cfif cftry CFLDAP name=Getdn action=QUERY filter=(alias=#form.alias#) attributes=cn,dn, mail server=ldap.whatever.com START=o=whatever,c=an scope=subtree timeout=50 CFLDAP NAME=ChkPwd2 SERVER=ldap.whatever.com ACTION=QUERY ATTRIBUTES=dn SCOPE=SubTree username=#Getdn.dn# password=#form.Password# MAXROWS=2 START=o=whatever,c=an cfcatch type=Any cflocation url=login.cfm?success=false /cfcatch /cftry cfif Getdn.cn eq cflocation url=login.cfm?success=false /cfif html head titleLDAP Authentication/title /head body cfoutput cfset client.alias=#form.alias# cfset client.name=Left(#Getdn.cn#,Find(,,#Getdn.cn#)-1) cfset client.email=#Getdn.mail# cfset client.validated=success cflocation url=index.cfm /cfoutput /body /html Hope this helps At 04:32 PM 4/17/2002 -0500, you wrote: We are attempting to implement a solution that will allow a user to enter our web portal, log-on, and ,based on that log-on (verified in the LDAP directory), utilize any one of many secure applications. On the front side of things, we plan to set a cookie that will stay with the user throughout the session. My question is then how, as one of those many secure sites, can I decipher the cookie and read the authentication information to determine that the user is in fact valid. Any ideas? We've thrown around the idea of using a Java Servlet to do the decode, and then set the ColdFusion session variables accordingly. This is new territory for me, so any help that could be provided would be greatly appreciated. Nicole L. Safley Database Programmer/Analyst Administrative Systems Project University of Missouri-Columbia [EMAIL PROTECTED] (573) 882-6284 Richard Morrison Cold Fusion Programmer (SDS), Schlumberger DRILLING SERVICES P.O.Box 9261, Dubai. United Arab Emirates Direct: 971 4 306 7127, Fax: 971 4 331 3614 Mobile: 971 50 62 10 869 . = I understand that U.S. trade regulations prohibit certain transfers of U.S. technology technical data or software to U.S. embargoed states. I am aware of Schlumberger's Trade Control Policy and the OFS Export Administration procedures with respect to U.S. embargoed states and confirm that this transmission does not cause a prohibited transfer of technology technical data or software. =
Re: [KCFusion] Implementing an Enterprise Single Login
By the way, if you insist on using Cookies accross multiple sub-domains SetDomainCookies=Yes, i.e xxx.domain.com, ttt.domain.com, etc.. if your talking about different domains, i.e www.xxx.com www.yyy.com, you won't be SetdomainCookies won't work At 09:25 AM 4/20/2002 +0400, you wrote: We are using LDAP at work to perform similar user validation, I would recomend using Client Variables instead of cookies.I don't see why you would want to use java servlets for this process, heres sample code: 1) In your index.cfm file include this or similar code: cfif NOT Isdefined(client.validated) OR 0 CFINCLUDE template=Security.cfm /cfif 2) In security.cfm Include this or similar code: cfif Isdefined(client.validated) cfif client.validated EQ success cfelse cflocation url=login.cfm /cfif cfelse cflocation url=login.cfm /cfif cflocation url=index.cfm 3) In login.cfm include this or similar Code: HTML HEAD TITLEContent Administrator/TITLE /HEAD BODY cfif IsDefined(url.success) is true Please enter the correct login.br Check Your Username and Password.br /cfif cfif IsDefined(client.validated) CFSET Temp = DeleteClientVariable(validated) CFSET Temp = DeleteClientVariable(name) CFSET Temp = DeleteClientVariable(alias) CFSET Temp = DeleteClientVariable(email) cfset client.alias=0 strongLogout Successful/strongbr /center /cfif FORM action=ldapauth.cfm Method=post table border=0 tr td align=center table width=100% cellpadding=4 cellspacing=0 border=0 tr td valign=topDiv id=normalbLDAP Alias :/B/td td valign=top input type=text Name=alias size=28/td/tr tr tdDiv id=normalbPassword : /B/td tdINPUT type=password name=password size=28/td /tr /table br INPUT type=submit name=cmdSubmit value=Log In /FORM /td /tr /table /body /html 4) In ldapauth.cfm, use this or similar code: cfif FORM.password is cflocation url=login.cfm?success=false /cfif cftry CFLDAP name=Getdn action=QUERY filter=(alias=#form.alias#) attributes=cn,dn, mail server=ldap.whatever.com START=o=whatever,c=an scope=subtree timeout=50 CFLDAP NAME=ChkPwd2 SERVER=ldap.whatever.com ACTION=QUERY ATTRIBUTES=dn SCOPE=SubTree username=#Getdn.dn# password=#form.Password# MAXROWS=2 START=o=whatever,c=an cfcatch type=Any cflocation url=login.cfm?success=false /cfcatch /cftry cfif Getdn.cn eq cflocation url=login.cfm?success=false /cfif html head titleLDAP Authentication/title /head body cfoutput cfset client.alias=#form.alias# cfset client.name=Left(#Getdn.cn#,Find(,,#Getdn.cn#)-1) cfset client.email=#Getdn.mail# cfset client.validated=success cflocation url=index.cfm /cfoutput /body /html Hope this helps At 04:32 PM 4/17/2002 -0500, you wrote: We are attempting to implement a solution that will allow a user to enter our web portal, log-on, and ,based on that log-on (verified in the LDAP directory), utilize any one of many secure applications. On the front side of things, we plan to set a cookie that will stay with the user throughout the session. My question is then how, as one of those many secure sites, can I decipher the cookie and read the authentication information to determine that the user is in fact valid. Any ideas? We've thrown around the idea of using a Java Servlet to do the decode, and then set the ColdFusion session variables accordingly. This is new territory for me, so any help that could be provided would be greatly appreciated. Nicole L. Safley Database Programmer/Analyst Administrative Systems Project University of Missouri-Columbia [EMAIL PROTECTED] (573) 882-6284 Richard Morrison Cold Fusion Programmer (SDS), Schlumberger DRILLING SERVICES P.O.Box 9261, Dubai. United Arab Emirates Direct: 971 4 306 7127, Fax: 971 4 331 3614 Mobile: 971 50 62 10 869 . = I understand that U.S. trade regulations prohibit certain transfers of U.S. technology technical data or software to U.S. embargoed states. I am aware of Schlumberger's Trade Control Policy and the OFS Export Administration procedures with respect to U.S. embargoed states and confirm that this transmission does not cause a prohibited transfer of technology technical data or software. = Richard Morrison Cold Fusion Programmer (SDS), Schlumberger DRILLING SERVICES P.O.Box 9261, Dubai. United Arab Emirates Direct: 971 4 306 7127, Fax: 971 4 331 3614 Mobile: 971 50 62 10 869 . = I understand that U.S. trade regulations prohibit certain transfers of U.S. technology technical data or software to U.S. embargoed states. I am aware of Schlumberger's Trade Control Policy and the OFS Export Administration procedures with respect to U.S. embargoed states and confirm that this transmission does not cause a prohibited transfer of technology technical data or software. =
RE: [KCFusion] Implementing an Enterprise Single Login
I didn't realize this solution was across different domains,boxes. The server scope will not span multiple boxes. Here is a link to another storage method that stores more complex data and allows more drive space on the client. I have a code example of how to use an xml store. The down side is that it is IE4.x on a PC specific. I have not played with across domains but I think it is possible to do what you have to do with it. http://msdn.microsoft.com/library/default.asp?url=/workshop/author/behaviors/reference/behaviors/userdata.asp This url may wrap. Bryan -Original Message-From: Safley, Nicole [mailto:[EMAIL PROTECTED]]Sent: Wednesday, April 17, 2002 4:56 PMTo: [EMAIL PROTECTED]Subject: RE: [KCFusion] Implementing an Enterprise Single Login Yes. The site will be secure, and will span multiple domains. -Original Message-From: Robert [mailto:[EMAIL PROTECTED]]Sent: Wednesday, April 17, 2002 4:53 PMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] Implementing an Enterprise Single Login Nicole, Are you worried that the cookie with be unreadable because the site will be 'secure' with a certificate? Because, if you're using session variables and cfapplication it isnt affected by having a SSL certificate. Is that your concern? Thanks, Robert - Original Message - From: Safley, Nicole To: Cold Fusion Listserv (E-mail) Sent: Wednesday, April 17, 2002 4:32 PM Subject: [KCFusion] Implementing an Enterprise Single Login We are attempting to implement a solution that will allow a user to enter our web "portal", log-on, and ,based on that log-on (verified in the LDAP directory), utilize any one of many secure applications. On the front side of things, we plan to set a cookie that will stay with the user throughout the session. My question is then how, as one of those many secure sites, can I decipher the cookie and read the authentication information to determine that the user is in fact valid. Any ideas? We've thrown around the idea of using a Java Servlet to do the decode, and then set the ColdFusion session variables accordingly. This is new territory for me, so any help that could be provided would be greatly appreciated. Nicole L. Safley Database Programmer/Analyst Administrative Systems Project University of Missouri-Columbia [EMAIL PROTECTED] (573) 882-6284
RE: [KCFusion] Implementing an Enterprise Single Login
we also came up with another solution that is somewhat complex to code, but the end result is pretty fair. have the authorization/main server send it's sessionid for this particular client to the other server in the first request, which could even be done with a post method. then, have the other server store that sessionid in a session and upon every request for a page on that server, have it do an http post back to the authorization server with the sessionid to make sure that session is still authenticated on the main server. I currently don't see any particular security holes or drawbacks to this solution other than the design. -Original Message-From: LaPlante, Bryan [mailto:[EMAIL PROTECTED]]Sent: Thursday, April 18, 2002 10:38 AMTo: '[EMAIL PROTECTED]'Subject: RE: [KCFusion] Implementing an Enterprise Single Login I didn't realize this solution was across different domains,boxes. The server scope will not span multiple boxes. Here is a link to another storage method that stores more complex data and allows more drive space on the client. I have a code example of how to use an xml store. The down side is that it is IE4.x on a PC specific. I have not played with across domains but I think it is possible to do what you have to do with it. http://msdn.microsoft.com/library/default.asp?url=/workshop/author/behaviors/reference/behaviors/userdata.asp This url may wrap. Bryan -Original Message-From: Safley, Nicole [mailto:[EMAIL PROTECTED]]Sent: Wednesday, April 17, 2002 4:56 PMTo: [EMAIL PROTECTED]Subject: RE: [KCFusion] Implementing an Enterprise Single Login Yes. The site will be secure, and will span multiple domains. -Original Message-From: Robert [mailto:[EMAIL PROTECTED]]Sent: Wednesday, April 17, 2002 4:53 PMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] Implementing an Enterprise Single Login Nicole, Are you worried that the cookie with be unreadable because the site will be 'secure' with a certificate? Because, if you're using session variables and cfapplication it isnt affected by having a SSL certificate. Is that your concern? Thanks, Robert - Original Message - From: Safley, Nicole To: Cold Fusion Listserv (E-mail) Sent: Wednesday, April 17, 2002 4:32 PM Subject: [KCFusion] Implementing an Enterprise Single Login We are attempting to implement a solution that will allow a user to enter our web "portal", log-on, and ,based on that log-on (verified in the LDAP directory), utilize any one of many secure applications. On the front side of things, we plan to set a cookie that will stay with the user throughout the session. My question is then how, as one of those many secure sites, can I decipher the cookie and read the authentication information to determine that the user is in fact valid. Any ideas? We've thrown around the idea of using a Java Servlet to do the decode, and then set the ColdFusion session variables accordingly. This is new territory for me, so any help that could be provided would be greatly appreciated. Nicole L. Safley Database Programmer/Analyst Administrative Systems Project University of Missouri-Columbia [EMAIL PROTECTED] (573) 882-6284
RE: [KCFusion] Implementing an Enterprise Single Login
Do you mean that you want to share a login among multiple cfapplication's? You could use the server scope to store your variable. Using a cookie will cause some issues if you try to access it from a separate domain, server variables will over come that. I would be glad to help you set this up if you need help. Bryan LaPlante -Original Message-From: Safley, Nicole [mailto:[EMAIL PROTECTED]]Sent: Wednesday, April 17, 2002 4:32 PMTo: Cold Fusion Listserv (E-mail)Subject: [KCFusion] Implementing an Enterprise Single Login We are attempting to implement a solution that will allow a user to enter our web "portal", log-on, and ,based on that log-on (verified in the LDAP directory), utilize any one of many secure applications. On the front side of things, we plan to set a cookie that will stay with the user throughout the session. My question is then how, as one of those many secure sites, can I decipher the cookie and read the authentication information to determine that the user is in fact valid. Any ideas? We've thrown around the idea of using a Java Servlet to do the decode, and then set the ColdFusion session variables accordingly. This is new territory for me, so any help that could be provided would be greatly appreciated. Nicole L. Safley Database Programmer/Analyst Administrative Systems Project University of Missouri-Columbia [EMAIL PROTECTED] (573) 882-6284
Re: [KCFusion] Implementing an Enterprise Single Login
Nicole, Are you worried that the cookie with be unreadable because the site will be 'secure' with a certificate? Because, if you're using session variables and cfapplication it isnt affected by having a SSL certificate. Is that your concern? Thanks, Robert - Original Message - From: Safley, Nicole To: Cold Fusion Listserv (E-mail) Sent: Wednesday, April 17, 2002 4:32 PM Subject: [KCFusion] Implementing an Enterprise Single Login We are attempting to implement a solution that will allow a user to enter our web "portal", log-on, and ,based on that log-on (verified in the LDAP directory), utilize any one of many secure applications. On the front side of things, we plan to set a cookie that will stay with the user throughout the session. My question is then how, as one of those many secure sites, can I decipher the cookie and read the authentication information to determine that the user is in fact valid. Any ideas? We've thrown around the idea of using a Java Servlet to do the decode, and then set the ColdFusion session variables accordingly. This is new territory for me, so any help that could be provided would be greatly appreciated. Nicole L. Safley Database Programmer/Analyst Administrative Systems Project University of Missouri-Columbia [EMAIL PROTECTED] (573) 882-6284
RE: [KCFusion] Implementing an Enterprise Single Login
Actually, the majority of the applications are on separate domains, and are not cfapplications. Basically, the idea is to have all entry to any of the applications pass through the proxy server where the user logs in. From there they would be able to access any of the enterprise wide applications which are hosted on various servers throughout our University. Doesn't seem like the server scoping would work in the situation. -Original Message-From: LaPlante, Bryan [mailto:[EMAIL PROTECTED]]Sent: Wednesday, April 17, 2002 4:48 PMTo: '[EMAIL PROTECTED]'Subject: RE: [KCFusion] Implementing an Enterprise Single Login Do you mean that you want to share a login among multiple cfapplication's? You could use the server scope to store your variable. Using a cookie will cause some issues if you try to access it from a separate domain, server variables will over come that. I would be glad to help you set this up if you need help. Bryan LaPlante -Original Message-From: Safley, Nicole [mailto:[EMAIL PROTECTED]]Sent: Wednesday, April 17, 2002 4:32 PMTo: Cold Fusion Listserv (E-mail)Subject: [KCFusion] Implementing an Enterprise Single Login We are attempting to implement a solution that will allow a user to enter our web "portal", log-on, and ,based on that log-on (verified in the LDAP directory), utilize any one of many secure applications. On the front side of things, we plan to set a cookie that will stay with the user throughout the session. My question is then how, as one of those many secure sites, can I decipher the cookie and read the authentication information to determine that the user is in fact valid. Any ideas? We've thrown around the idea of using a Java Servlet to do the decode, and then set the ColdFusion session variables accordingly. This is new territory for me, so any help that could be provided would be greatly appreciated. Nicole L. Safley Database Programmer/Analyst Administrative Systems Project University of Missouri-Columbia [EMAIL PROTECTED] (573) 882-6284
RE: [KCFusion] Implementing an Enterprise Single Login
Yes. The site will be secure, and will span multiple domains. -Original Message-From: Robert [mailto:[EMAIL PROTECTED]]Sent: Wednesday, April 17, 2002 4:53 PMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] Implementing an Enterprise Single Login Nicole, Are you worried that the cookie with be unreadable because the site will be 'secure' with a certificate? Because, if you're using session variables and cfapplication it isnt affected by having a SSL certificate. Is that your concern? Thanks, Robert - Original Message - From: Safley, Nicole To: Cold Fusion Listserv (E-mail) Sent: Wednesday, April 17, 2002 4:32 PM Subject: [KCFusion] Implementing an Enterprise Single Login We are attempting to implement a solution that will allow a user to enter our web "portal", log-on, and ,based on that log-on (verified in the LDAP directory), utilize any one of many secure applications. On the front side of things, we plan to set a cookie that will stay with the user throughout the session. My question is then how, as one of those many secure sites, can I decipher the cookie and read the authentication information to determine that the user is in fact valid. Any ideas? We've thrown around the idea of using a Java Servlet to do the decode, and then set the ColdFusion session variables accordingly. This is new territory for me, so any help that could be provided would be greatly appreciated. Nicole L. Safley Database Programmer/Analyst Administrative Systems Project University of Missouri-Columbia [EMAIL PROTECTED] (573) 882-6284
Re: [KCFusion] Implementing an Enterprise Single Login
Nicole, Sounds like you want a .NET/Passport type of setup, much like everyone's favorite Microsoftbut in the fact that there are several sites that refer back to the same authentication server for valid userswhy not look into Bryans suggestion of server variables? Thanks, Robert - Original Message - From: Safley, Nicole To: [EMAIL PROTECTED] Sent: Wednesday, April 17, 2002 4:54 PM Subject: RE: [KCFusion] Implementing an Enterprise Single Login Actually, the majority of the applications are on separate domains, and are not cfapplications. Basically, the idea is to have all entry to any of the applications pass through the proxy server where the user logs in. From there they would be able to access any of the enterprise wide applications which are hosted on various servers throughout our University. Doesn't seem like the server scoping would work in the situation. -Original Message-From: LaPlante, Bryan [mailto:[EMAIL PROTECTED]]Sent: Wednesday, April 17, 2002 4:48 PMTo: '[EMAIL PROTECTED]'Subject: RE: [KCFusion] Implementing an Enterprise Single Login Do you mean that you want to share a login among multiple cfapplication's? You could use the server scope to store your variable. Using a cookie will cause some issues if you try to access it from a separate domain, server variables will over come that. I would be glad to help you set this up if you need help. Bryan LaPlante -Original Message-From: Safley, Nicole [mailto:[EMAIL PROTECTED]]Sent: Wednesday, April 17, 2002 4:32 PMTo: Cold Fusion Listserv (E-mail)Subject: [KCFusion] Implementing an Enterprise Single Login We are attempting to implement a solution that will allow a user to enter our web "portal", log-on, and ,based on that log-on (verified in the LDAP directory), utilize any one of many secure applications. On the front side of things, we plan to set a cookie that will stay with the user throughout the session. My question is then how, as one of those many secure sites, can I decipher the cookie and read the authentication information to determine that the user is in fact valid. Any ideas? We've thrown around the idea of using a Java Servlet to do the decode, and then set the ColdFusion session variables accordingly. This is new territory for me, so any help that could be provided would be greatly appreciated. Nicole L. Safley Database Programmer/Analyst Administrative Systems Project University of Missouri-Columbia [EMAIL PROTECTED] (573) 882-6284