4 Replies Latest reply on Nov 15, 2007 11:18 AM by davidmedifit

    Best way to pass secure data between servers

    CFMXPrGrmR Level 2
      Hello,

      In the not to distant future my company wants to expand our site to include a single sign-on, this will be made possible with the 3rd party group that handles our customer info. Can someone enlighten me as the most secure method of transferring user data between these locations?

      What has been proposed is to pass the login from our site to the 3rd party, if successful pass back certain data, display and possibly update on our site and then pass this back to the 3rd party server.

      Is CFLogin the most powerful method for login? I've used query checks in the past, is that adequate or is CFLogin much better? Any pointers are appreciated.
        • 1. Re: Best way to pass secure data between servers
          Level 7
          "Is CFLogin the most powerful method for login? I've used query checks
          in the past, is that adequate or is CFLogin much better?"

          Neither, CFLogin is really just a specific purpose IF block. Code
          within the opening and closing <cflogin...> tags is run when a user is
          not logged in with the <cfloginuser...> tag. Inside this block one
          still needs to validate the credentials provided by the user, often with
          a query check.

          The <cflogin...><cfloginuser...> combination provides an easy to
          interpret and use mechanism to run conditional code and persist a user
          login state from request to request. It is basically equivalent to ones
          own <cfif...> logic combined with session data for the user state.
          Under the hood it is using the same mechanisms.

          I usually prefer to roll my own solution because I often want to store
          more state data about a user then is allowed with the <cfloginuser...>
          tag and the related getAuthUser() and isUserInRole() functions.

          • 2. Re: Best way to pass secure data between servers
            davidmedifit Level 1
            We've done something similar here - where we pass to a 3rd party, or act as a 3rd party. We use a mixture of SSL and encryption - either Blowfish or PGP (depending on the 3rd party).

            PGP is more secure, and we purchased the CFX_PGP tag to do this. It was the only tag available and has worked well thus far. Although, if you are using CF8 there may be some .Net solutions you could now integrate (not speaking authoritatively there).

            You'll need a copy of PGP desktop to create your public and private keys - you can give the private key to the 3rd client party , exachange the data, have them decrypt then do the same for the round trip.

            Cheers,

            Davo
            • 3. Re: Best way to pass secure data between servers
              CFMXPrGrmR Level 2
              Thanks for the replies guys, I'll take a look at these methods. We're still at 7 and no immediate plans to upgrade so we'll go with what we can.

              I have another question that's somewhat related. We just went to a UNIX shared web server setup. The replication seems to be having problems and I'm having a hard time tracking down which server is the problem. What I'd like to do is put in code that displays in a comment (html) which server is being used at that time.

              I looked through all of the CGI variables but I can't find one that tells me the server name or IP address. I swear this was an option used at a company I worked for long ago.
              • 4. Re: Best way to pass secure data between servers
                davidmedifit Level 1
                In application.cfm put in a variable with the unique name of the server, and report on that. This will make your code slightly different from server to server, so you could have application read a text file to populate the variable, and then just change the text in the file.

                Just a thought.

                Davo