Even though you already have a working solution, I'd like to suggest an
alternate one (that I'm pretty sure will work and) that would be a bit more
secure.
I believe the reason why the code wasn't working the first time around is
because the cookies set by the one domain were not accessible from the other
domain. Cookies are set for specific domains. The browser would see
sample.somedomain.com as a separate domain from secure.somedomain.com,
because the subdomains of each are different.
When the user first accesses sample.somedomain.com, CF creates new CFID and
CFTOKEN values for the user and creates cookies. When the user accesses
secure.somedomain.com, those cookies are not sent over because the domain
has changed. So CF creates new CFID and CFTOKEN values, etc. Appending
those values to the URL is one way of passing them from domain to domain,
but they leave the values exposed on the URL.
When creating a cookie, you can specify the domain to which it should apply.
By default, it uses the complete domain (i.e., "sample.somedomain.com").
But, you can set it to be a portion of the complete domain (with some
limitations). So, you could set the domain to be "somedomain.com" and the
cookies would then be passed to both of the domains. You'll have to set the
cookies manually though, as in:
<CFCOOKIE NAME="CFID" VALUE="#COOKIE.CFID#" DOMAIN="somedomain.com">
The only thing that might still cause this to fail (I haven't tested it) is
if the browsers continue to treat the 2 domains as distinct because of the
differing protocols (http vs. https). But it might be worth a try to make
the process a bit more secure.
--
Mosh Teitelbaum
evoch, LLC
Tel: (301) 625-9191
Fax: (301) 933-3651
Email: [EMAIL PROTECTED]
WWW: http://www.evoch.com/
> -----Original Message-----
> From: Joshua Miller [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, December 12, 2002 11:02 PM
> To: CF-Talk
> Subject: RE: Session Variables Across Domains
>
>
> THANK YOU! That makes perfect sense.
>
> Joshua Miller
> Head Programmer / IT Manager
> Garrison Enterprises Inc.
> www.garrisonenterprises.net
> [EMAIL PROTECTED]
> (704) 569-9044 ext. 254
>
> ************************************************************************
> *************
> Any views expressed in this message are those of the individual sender,
> except where the sender states them to be the views of
> Garrison Enterprises Inc.
>
> This e-mail is intended only for the individual or entity to which it is
> addressed and contains information that is private and confidential. If
> you are not the intended recipient you are hereby notified that any
> dissemination, distribution or copying is strictly prohibited. If you
> have received this e-mail in error please delete it immediately and
> advise us by return e-mail to [EMAIL PROTECTED]
> ************************************************************************
> *************
>
>
> -----Original Message-----
> From: Fuzion - CFTalk [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, December 12, 2002 6:21 PM
> To: CF-Talk
> Subject: RE: Session Variables Across Domains
>
>
> You will need to redirect to the domain appending the CFID and CFTOKEN
> values to the URL. E.g.
> http://www.domain.com/?CFID=#CFID#&CFTOKEN=#CFTOKEN#
>
> Darryl
>
> -----Original Message-----
> From: Joshua Miller [mailto:[EMAIL PROTECTED]]
> Posted At: Friday, 13 December 2002 8:37 AM
> Posted To: CFTalk
> Conversation: Session Variables Across Domains
> Subject: Session Variables Across Domains
>
>
> Ok, I have a problem:
>
> 1. Users go to a specific domain to login:
> http://sample.somedomain.com/admin/
>
> 2. Users fill out a user/pass form and are taken to:
> https://secure.somedomain.com where they are authenticated against a
> database and have some session variables set (username, userID,
> logintime, etc.)
>
> 3. Users are then sent back to:
> http://sample.somedomain.com/admin/select.cfm to select what function
> they want to perform and use the application.
>
> Here's my problem, the SESSION variables are set under the
> https://secure.somedomain.com domain and aren't available on the
> http://sample.somedomain.com/admin/select.cfm page so they're redirected
> back to the login page to fill out the form again.
>
> Now, both the secure and non-secure sites are using the same application
> name set in their respective Application.cfm templates. Both secure and
> non-secure locations are actually under the same directory, although the
> secure.somedomain.com domain is actually a seperate site in IIS while
> the sample.somedomain.com address is just a host header pointing to the
> somedomain.com site. I differentiate what content the user sees based on
> the domain name - what host header they're using tells me what domainID
> to set.
>
> \Websites
> \somedomain
> \secure (SSL Enabled)
> \admin (Login form is in here)
>
> Is it not possible to use the same session variables across these
> domains? Perhaps I'm not understanding the Application Name - I thought
> that's what determined the SESSION variable ownership across page
> requests based on the CFID/CFTOKEN. Does every Domain get a CFID/CFTOKEN
> and SESSION variables or does every Application get a CFID/CFTOKEN and
> it's own SESSION variables?
>
> The only time that I need to use the secure location is when sending the
> login information, is there another way to accomplish this? Should I
> just use cookies until the user is logged in and then set the session
> variables?
>
> Any help/input appreciated.
>
> Thanks,
>
> Joshua Miller
> Head Programmer / IT Manager
> Garrison Enterprises Inc.
> www.garrisonenterprises.net <http://www.garrisonenterprises.net/>
> [EMAIL PROTECTED]
> (704) 569-9044 ext. 254
>
> ************************************************************************
> *************
> Any views expressed in this message are those of the individual sender,
> except where the sender states them to be the views of
> Garrison Enterprises Inc.
>
> This e-mail is intended only for the individual or entity to which it is
> addressed and contains information that is private and confidential. If
> you are not the intended recipient you are hereby notified that any
> dissemination, distribution or copying is strictly prohibited. If you
> have received this e-mail in error please delete it immediately and
> advise us by return e-mail to
> <mailto:[EMAIL PROTECTED]>
> [EMAIL PROTECTED]
> ************************************************************************
> *************
>
>
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription:
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Get the mailserver that powers this list at http://www.coolfusion.com
