5 Replies Latest reply on Feb 25, 2009 6:46 AM by mark_la

    WebServices and Sessions

      Hi,

      Is there a way to maintain a session on the server for the duration of a series of web service requests for an individual consumer?

      What I want to happen is something like this:
      1. The consumer to invoke the webservice with a username/password combination in the SOAP header.
      2. The web service authenticates the user against the database and inserts a session id in to the SOAP header.
      3. The consumer makes another call to the webservice for some data and if the session id matches the session stored on the server, the web service will return the data for this and all subsequent requests that have the correct session id stored in the SOAP header.

      Does anyone know if there a way I can do this, or do I have to write the data to a database and check against that for each call?
        • 1. Re: WebServices and Sessions
          Level 7
          mark_la wrote:
          > Hi,
          >
          > Is there a way to maintain a session on the server for the duration of a
          > series of web service requests for an individual consumer?
          >

          I don't know, but if extract how normal web browser requests maintain
          sessions then maybe one can apply this to web service requests.

          ColdFusion knows which requests belong to what sessions by the cfid and
          cftoken values sent with every request; usually in cookies, but
          alternately as get (aka URL) values. I would presume that if a web
          service request could and would send these values with future request,
          then session state could be maintained. But I sure have never tried to
          do this.
          • 2. Re: WebServices and Sessions
            Level 1
            Hi Ian,

            Thanks for your reply. From what I understand, and this may be incorrect, there is no persistent session or cookies available for me to use. If I make consecutive requests the session.sessionid changes each time, as does the cfid/cftoken. I don't think url variables are any good either in this instance, as the request will be coming from a dotnet application and not via a browser.

            My theoretical solution is this:
            1. To authenticate against the username/password in the soap header,
            2. Create a uuid; logging this uuid in the database and then adding that uuid to the SOAP header.
            3. Compare the uuid in the SOAP header against the uuid in the database and ensure that the access is authorised and timely.

            Does this make sense? Is this good practice?

            • 3. Re: WebServices and Sessions
              Level 7
              mark_la wrote:
              > Hi Ian,
              >
              > Thanks for your reply. From what I understand, and this may be incorrect,
              > there is no persistent session or cookies available for me to use. If I make
              > consecutive requests the session.sessionid changes each time, as does the
              > cfid/cftoken. I don't think url variables are any good either in this instance,
              > as the request will be coming from a dotnet application and not via a browser.
              >

              My understanding, but I have never tried to make use of this, the
              cookies and url variables are available to you, but the application
              consuming the web service must take on the role of a browser and handle
              the cookies and or URL variables. You know longer get this handled for
              you automatically in this scenario.
              • 5. Re: WebServices and Sessions
                Level 1
                Hi Ian,

                Thanks for those links - I had come across Tom's blogs, but didn't see those entries. I'll try and follow those guidelines.

                Cheers,
                Mark