Hey there,

I'm working with a systems guy to get RSA's SecurID working with ColdFusion
applications to replace any sort of custom login (i.e. doing away with
passwords to use RSA's sercurID fab). I'm running into some weird problems and
I was wondering if someone has done this or has any thoughts as to what is
going on.

We're running ColdFusion 7.0 using JRUN on an apache web server running on
Red Hat Linux. We're trying to use RSA's Authentication Agent 5.3 for Web for
Apache (URL: [url]https://rsasecurity1.rsc03.net/servlet/campaignrespondent[/url]).
This provides a number of Java classes that should be able to be called from a
..cfm web page. I've tried to find a link to a .pdf that RSA provides titled
RSA Authentication Agent 5.3 for Web Authentication Developer?s Guide for Sun
Java System Web Server and Apache Web Server , but I cannot find it. If
someone is kind enough to work on this, I can send the .pdf.

In short, the RSA agent take the RSA authentication and writes a cookie called
rsa-local to the user's machine. The RSA's API reads the cookie to check for
things like time-outs, userIDs and such. Here is a sample cookie:

rsa-local
priesrZ00Z002Z0042554EF6Z0042554EF6Z00Z00S.Z3DZ18Z 89ZBAZ89Z5BZF1ZB3Z9EZEFZ8AZF87
Z224Z16Z19Z04ZA1Z9AZ88YZ273kZ9CNZCBZDEZDC

I've attached the sample files that I'm trying to get working.

This page should produce the following output:

Hello priesr

The probelm: The RSA API (in the example given above:
rsaObject.RSAGetUserName) returns a 101 error and claims that it cannot read
the cookie. When I just try this under an apache in a simple .html page, it
works every time. After a number of refreshes on the .cfm page, it finally
does read the cookie, and the RSA API returns what it should. This won't work
for a login for an application :)

Ok, One interesting note:

When I try to read the cookie directly (output cookie.rsa-local) I get the
following error message: Element RSA is undefined in COOKIE. I noticed that
the ColdFusion is chopping off the cookie variables at the dash. If I try to
create a cookie called "a-b" and try to read it back, I will get the error
message: Element a is undefined in COOKIE. I checked all of the
documentation in ColdFusion, as well as some of the original RFCs and did not
fins anything that restricted the use of a "-" in a cookie variable. There
was lots of notes on not using a period or an underscore, but nothing on a
dash.

Does ColdFusion have a bug in reading cookies where it's clipping variable
names after the "-"? Could this be the source of my probelm?

I would love to hear from anyone who has this working, or if anyone has any
ideas as to why what I'm doing will not work.

Thanks,

-- Rick P.

<html>
<body>
<cfset rsaObject = createObject("java", "com.rsa.cookieapi.RSACookieAPI")>
<cfset req = getPageContext().getRequest()>
<cfset rsaObject.init(req)>
<cfset pv_username = rsaObject.RSAGetUserName()>
<cfset err = rsaObject.RSAGetLastError()>
<cfdump var="#cookie#">
<cfoutput>
Hello <strong>#pv_username#</strong>
</cfoutput>
<br>
</body>
</html>