Hi all,
I have another CFHTTP question. I am on another project where I have one sign-in form, but depending on the user's prior activity, or lack thereof, I have three places I can direct them.

1. If they are a returning user, they go to the main target, an educational website on a third party host.
2. If they are new, they go to a site that performs a number of functions that gets the user set up for the activities on the main site.
3. If there's an error, they are directed to a page that tells them what's wrong.

Now, in a perfect world, I'd have all of this going on in the form post handler for the main site. However, the db server that houses their pre-registration and payment information is on a server that does not accept external TCP/IP connections (being a medical education institution, we are on lockdown in order to not get in trouble with regulators and accreditors). I can get to it from the application server where the pre-registration site is located, but I cannot query it from my third-party host. To complete all the validation and authenticate the user, then, I need to have the script processing the post request on the application server that can query the pre-registration database.

So, what I need to figure out is how, if it OK to log them into the site on the third party host. I need to send a form POST to this site, and redirect the user there. Here's what I'm trying to use:

<cfhttp method="post" resolveurl="yes" redirect="yes" url="http://www.mysite.com/formhandler.php">
<cfhttpparam type="formfield" name="username" value="#username#">
<cfhttpparam type="formfield" name="password" value="#password#">

However, I am not redirected to the URL indicated, I am stuck at the page with the script running my validations. I've spent quite some time going through the documents at Adobe, and searching around for why I'm not being redirected to the form handler, and thus log in.

I've thought about adding a GET method in the formhandler.php script and using cflocation to do this, but there has to be a way in the script I'm working on.

Recommended Answers

All 10 Replies

You should have a form submit to a page, do some cfif's and then do a cflocation based on whatever. Maybe try that route?

You should have a form submit to a page, do some cfif's and then do a cflocation based on whatever. Maybe try that route?

That won't work. <cflocation> only works with relative paths. I need to send the form post info to a script on a third party server.

I decided to take a Javascript route to do this. I'm not happy with the relatively low level of security with this approach, but it works for the time being. I would like to revisit this topic if there's a better way to do this.

That won't work. <cflocation> only works with relative paths

cflocation can redirect to an absolute url ie http://www.somesite.com, so I don't think that's the problem.

However, I am not redirected to the URL indicated, I am stuck at the page with the script running my validations.

But it's not clear from the description what part you're stuck on. You cfhttp post data to "some other server". Then what? ie What're you trying to do that's not working?

What's not working is that the <cfhttp> script is not redirecting the user to the location specified. While I could do this with a <cflocation> (BTW, my mistake, I was thinking of something else, in regards to relative paths), I can't use that to send variables over as a form post. I can include it in the URL, and have the receiving script handle it as a GET, but that is not an approach I want to take, for security reasons. What I was looking for was some way to use <cfhttp> to do what this Javascript function does:

<script type="text/javascript">
		function goToOther () {
			var frm = document.getElementById("login");
		window.onload = goToOther;

That's not possible w/cfhttp. Think of cfhttp like a mini browser. The post, and any redirection on the remote server's end, all takes place inside cfhttp. Once the call exits, the user browser is still on your server. The only way to redirect them to another url programmatically is w/cflocation (or a javascript/html form submit).

I do also feel the same as arrgh, that its not possible to move to some page using cfhttp, rather it just sends an http request to the page and gets the content of the same to the requesting server, just like a web browser. So better to go with cflocation or submit form.

Also while it's a bad idea to send passwords in the url, method "post" isn't any more secure than "get".

Since you can't share cookies across domains, maybe both ends could establish a short term "token" for authenticated users. Then you'd pass the token in the cflocation url. The other side checks the token and destroys it. If the token is valid it logs the user in (or whatever it's supposed to do).

That's what I do for an account synchronization app I developed recently with a third party client (see my other thread where I asked about this). However, in this case I was doing this in only one direction, using my script as a sort of traffic cop to automatically check where a user needed to go between the two sites. I will take a look at this for securing this connection later on, but for now it works and I need to move on to my next project (for which I will post a new thread, I have questions on it).

Well if the logins are used to access anything more important than "my bookmarks" I wouldn't use any of the other methods above. They all expose passwords in clear text (in url, html, ...) which violates even the most basic security tests ...

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.