Add cookie to HTTP header for SOAP call in ColdFusion

Question

I basically want to add the ASP.NET_SessionId cookie to my HTTP request header when calling a SOAP web service through ColdFusion.

The web service is registered in the OnApplicationStart function of the Application.cfc component in ColdFusion.

<cfscript>
    objSoapHeader = XmlParse("<wsse:Security mustUnderstand=""true"" xmlns:wsse=""http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd""><wsse:UsernameToken><wsse:Username>MY_USERNAME</wsse:Username><wsse:Password>MY_PASSWORD</wsse:Password></wsse:UsernameToken></wsse:Security>");
    Application.UserWebService = CreateObject("webservice","MY_URL/UserService.asmx?WSDL");
    addSOAPRequestHeader(Application.UserWebService,"","",objSoapHeader,true);
</cfscript>

My web service is called as such:

<cfset Result = "#Application.UserWebService.SomeFunction("1", "DATA")#">

In order for the .Net server (where the web services are located) to remember my session state, I must pass the ASP.NET_SessionId cookie in the HTTP request header, but have no idea if this is even possible in ColdFusion.

I've researched for several hours but nothing has come of it as of yet, so has anyone successfully managed to pull this off?

This is how you set the cookie within the cfhttp. ``. But I don't know where to get the .NET value from. Have you tried looking through the cgi scope with ``? — Jules, Sep 16 '16 at 02:05
Just to clarify, the suggestion here is to try consuming the webservice with `cfhttp`, instead of `createObject()`. In some cases, it offers more flexibility. See this thread for details about how to extract cookies and maintain sessions across http requests: http://www.bennadel.com/blog/725-maintaining-sessions-across-multiple-coldfusion-cfhttp-requests.htm — Leigh, Sep 16 '16 at 13:27
@Leigh - he's looking for the .NET session id, not CF's. But I agree with you nonetheless. cookie.CFID or cookie.JSESSIONID is probably better to use. — Jules, Sep 16 '16 at 16:53
@Jules - Yep, I know ;-) .. but I think you misunderstood my suggestion. — Leigh, Sep 16 '16 at 17:22
@Jules to answer your first comment, I retrieve the `ASP.NET_SessionId` cookie from `GetHttpRequestData().Headers.Cookie` and split it into an array. Although not the most ideal method, this allows me to retrieve the cookie returned by .Net in order to identify the correct SessionState instance with all subsequent requests. — MPaul, Sep 16 '16 at 18:40
@Leigh I was looking at that thread just yesterday and I'm a little disappointed to find out there isn't a way to add the cookie to the HTTP header when making calls through the `createObject()` function. But nevertheless thanks for your input, at least I can move forward — MPaul, Sep 16 '16 at 18:43
@MPaul - From what I have read, it can be done with the underlying lib use by CF, so I strongly suspect it *is* possible. I am just not sure how easily. createObject("webservice") is a bit more of a black box. That is probably why folks were suggesting cfhttp as an alternative. — Leigh, Sep 16 '16 at 19:20
@Leigh Interesting, could you please point my in the direction to view the underlying library's functions? I suspect you're using some online resource to find this information? — MPaul, Sep 16 '16 at 19:39
@MPaul - CF10 uses Axis2 for web services. So any links on cookie handling from java will apply to CF as well. I cannot test it out right now, but a bit of searching suggests *should* be a matter of grabbing the client options: ie `options = theWSObject._getServiceClient().getOptions();` Then enabling session management and setting the headers, ie `options.setManageSession(true); options.setProperty(httpConstants.COOKIE_STRING, "the value");` . — Leigh, Sep 16 '16 at 22:07

score 1 · Accepted Answer · edited May 23 '17 at 12:00

Short Answer:

For CF9 / Axis1 try enabling sessions on the web service object.

ws = createObject("webservice", "http://localhost/MyWebService.asmx?wsdl");
ws.setMaintainSession( true );

For CF10+ / Axis2, see longer answer below:

(Disclaimer: Using cfhttp might be simpler, but I was curious and did some digging ..)

From what I have read, since CF10+ uses Axis2 for web services it should be possible to use the underlying methods to maintain session state through HTTP cookies.

How to set Cookies in ColdFusion SOAP requests - (circa 2006) - Written for a much older version of CF/Axis, so some of it is outdated, but it still provides a good overview of the general concept.
Maintain session in Axis2
Java axis web service client setMaintainSession on multiple services (cookies?)
Axis2 Manage Session Cookie Manually

Using the the links above, I put together a quick POC using a basic web service and was able to extract the cookie header from the web service client response:

// make initial request
ws = createObject("webservice", "http://localhost/MyWebService.asmx?wsdl");
ws.firstMethod();

// For maintainability, use constants instead of hard coded strings
wsdlConstants = createObject("java", "org.apache.axis2.wsdl.WSDLConstants");

// Extract headers 
operation = ws._getServiceClient().getLastOperationContext();
context = operation.getMessageContext( wsdlConstants.MESSAGE_LABEL_IN_VALUE  );
headers = context.getProperty( context.TRANSPORT_HEADERS );

Then set the cookie and instruct the web service client to send it with subsequent requests:

if ( structKeyExists(headers, "Set-Cookie") ) {
    // include http cookies with request
    httpConstants = createObject("java", "org.apache.axis2.transport.http.HTTPConstants");
    options = ws._getServiceClient().getOptions();
    options.setManageSession( true );
    options.setProperty( httpConstants.COOKIE_STRING, headers["Set-Cookie"] );
}

// ... more requests
ws.secondMethod();
ws.thirdMethod();

NB: Side note, I noticed you are storing the instance in the shared Application scope. Just keep in mind web service instances are probably NOT thread safe.

Very interesting! I'll look into this today, however I'm running ColdFusion 9 therefore I believe I'll be using Axis1 — MPaul, Sep 19 '16 at 13:00
(Edit) @MPaul - Then you may be able to use the technique referenced in the first link. I *think* it was written for Axis1. Albeit for an earlier version of CF (7 or something like that), so no guarantees all of it will apply to your version ;-) — Leigh, Sep 19 '16 at 13:02
The [axis1 syntax here](http://axis.8716.n7.nabble.com/Axis-1-4-client-get-cookies-td23763.html) seems to work for CF9. Out of curiosity, what happens if just enable sessions, ie `ws.setMaintainSession( true );`? Does it still lose track of the session (under CF9)? — Leigh, Sep 19 '16 at 22:15
Good to hear! For Axis2, just setting `setManageSession` did not seem to work in earlier tests, but now I am wondering about that ... I will have to recheck. — Leigh, Sep 20 '16 at 20:37

score 0 · Answer 2 · answered Sep 16 '16 at 00:24

0

Inside your CFHPPT tags, set the cookie with CFHTTPPARAM

answered Sep 16 '16 at 00:24

Eccountable

622
3
13

Add cookie to HTTP header for SOAP call in ColdFusion

2 Answers2