Best way to pass secure data between servers

Report · Nov 15, 2007

Hello,

In the not to distant future my company wants to expand our site to include a single sign-on, this will be made possible with the 3rd party group that handles our customer info. Can someone enlighten me as the most secure method of transferring user data between these locations?

What has been proposed is to pass the login from our site to the 3rd party, if successful pass back certain data, display and possibly update on our site and then pass this back to the 3rd party server.

Is CFLogin the most powerful method for login? I've used query checks in the past, is that adequate or is CFLogin much better? Any pointers are appreciated.

Report · Nov 15, 2007

"Is CFLogin the most powerful method for login? I've used query checks
in the past, is that adequate or is CFLogin much better?"

Neither, CFLogin is really just a specific purpose IF block. Code
within the opening and closing <cflogin...> tags is run when a user is
not logged in with the <cfloginuser...> tag. Inside this block one
still needs to validate the credentials provided by the user, often with
a query check.

The <cflogin...><cfloginuser...> combination provides an easy to
interpret and use mechanism to run conditional code and persist a user
login state from request to request. It is basically equivalent to ones
own <cfif...> logic combined with session data for the user state.
Under the hood it is using the same mechanisms.

I usually prefer to roll my own solution because I often want to store
more state data about a user then is allowed with the <cfloginuser...>
tag and the related getAuthUser() and isUserInRole() functions.

Report · Nov 15, 2007

We've done something similar here - where we pass to a 3rd party, or act as a 3rd party. We use a mixture of SSL and encryption - either Blowfish or PGP (depending on the 3rd party).

PGP is more secure, and we purchased the CFX_PGP tag to do this. It was the only tag available and has worked well thus far. Although, if you are using CF8 there may be some .Net solutions you could now integrate (not speaking authoritatively there).

You'll need a copy of PGP desktop to create your public and private keys - you can give the private key to the 3rd client party , exachange the data, have them decrypt then do the same for the round trip.

Cheers,

Davo

Report · Nov 15, 2007

Thanks for the replies guys, I'll take a look at these methods. We're still at 7 and no immediate plans to upgrade so we'll go with what we can.

I have another question that's somewhat related. We just went to a UNIX shared web server setup. The replication seems to be having problems and I'm having a hard time tracking down which server is the problem. What I'd like to do is put in code that displays in a comment (html) which server is being used at that time.

I looked through all of the CGI variables but I can't find one that tells me the server name or IP address. I swear this was an option used at a company I worked for long ago.

Report · Nov 15, 2007

In application.cfm put in a variable with the unique name of the server, and report on that. This will make your code slightly different from server to server, so you could have application read a text file to populate the variable, and then just change the text in the file.

Just a thought.

Davo

Adobe Community

Best way to pass secure data between servers