WebServices and Sessions

Report · Feb 24, 2009

Hi,

Is there a way to maintain a session on the server for the duration of a series of web service requests for an individual consumer?

What I want to happen is something like this:
1. The consumer to invoke the webservice with a username/password combination in the SOAP header.
2. The web service authenticates the user against the database and inserts a session id in to the SOAP header.
3. The consumer makes another call to the webservice for some data and if the session id matches the session stored on the server, the web service will return the data for this and all subsequent requests that have the correct session id stored in the SOAP header.

Does anyone know if there a way I can do this, or do I have to write the data to a database and check against that for each call?

Report · Feb 24, 2009

mark_la wrote:
> Hi,
>
> Is there a way to maintain a session on the server for the duration of a
> series of web service requests for an individual consumer?
>

I don't know, but if extract how normal web browser requests maintain
sessions then maybe one can apply this to web service requests.

ColdFusion knows which requests belong to what sessions by the cfid and
cftoken values sent with every request; usually in cookies, but
alternately as get (aka URL) values. I would presume that if a web
service request could and would send these values with future request,
then session state could be maintained. But I sure have never tried to
do this.

Report · Feb 25, 2009

Hi Ian,

Thanks for your reply. From what I understand, and this may be incorrect, there is no persistent session or cookies available for me to use. If I make consecutive requests the session.sessionid changes each time, as does the cfid/cftoken. I don't think url variables are any good either in this instance, as the request will be coming from a dotnet application and not via a browser.

My theoretical solution is this:
1. To authenticate against the username/password in the soap header,
2. Create a uuid; logging this uuid in the database and then adding that uuid to the SOAP header.
3. Compare the uuid in the SOAP header against the uuid in the database and ensure that the access is authorised and timely.

Does this make sense? Is this good practice?

Report · Feb 25, 2009

mark_la wrote:
> Hi Ian,
>
> Thanks for your reply. From what I understand, and this may be incorrect,
> there is no persistent session or cookies available for me to use. If I make
> consecutive requests the session.sessionid changes each time, as does the
> cfid/cftoken. I don't think url variables are any good either in this instance,
> as the request will be coming from a dotnet application and not via a browser.
>

My understanding, but I have never tried to make use of this, the
cookies and url variables are available to you, but the application
consuming the web service must take on the role of a browser and handle
the cookies and or URL variables. You know longer get this handled for
you automatically in this scenario.

Report · Feb 25, 2009

The first links from Google when I searched for coldfusion web service
cookies.

http://tjordahl.blogspot.com/2006/06/how-to-set-cookies-in-coldfusion-soap.html
http://tjordahl.blogspot.com/2006/06/how-to-get-web-service-response.html

Report · Feb 25, 2009

Hi Ian,

Thanks for those links - I had come across Tom's blogs, but didn't see those entries. I'll try and follow those guidelines.

Cheers,
Mark

Adobe Community

WebServices and Sessions

1 Correct answer