GOAL:

Maintain session state between a PHP application and a Coldfusion application which together, comprise the entire application.

CURRENT METHOD:

Upon logging into our Coldfusion application (the only way to login, i.e., cannot login via the PHP application), we are using the following JS snippet to call a remote PHP file which sets the PHP session cookies (which cannot be set via Coldfusion), and on subsequent Coldfusion page visits, refreshes the PHP session:

<script type="text/javascript">
  // Create an image.
  var imgPing = new Image();
  // Set image src to App A ping url.
  imgPing.src = "http://remotePHPApplicationURL/remoteFile.php";
</script>

This snippet is loaded on each Coldfusion page when logged in to maintain the parallel sessions.

This method works as designed if called via a non-SSL Coldfusion page, however, there are some SSL Coldfusion pages which comprise the application. When an SSL page calls this snippet, we get both an “insecure content” warning (which breaks our SSL connection), as well as an “annonymous function” error, both within the Chrome Inspector.

We’ve tried CFHTTP to “GET” this PHP file, but it is not setting the PHP cookies as designed. There is something that I don’t understand regarding how, by using img.src, the PHP file is executed vs. using CFHTTP.

QUESTION:

Is there another, better method of calling/executing/pinging the PHP file vs. uring the img.src which seems to only work in non-SSL situations?

Here is an example of what the PHP file looks like:

<?php
  error_reporting(E_ALL & ~E_NOTICE);
  define('THIS_SCRIPT', 'index');
  define('CSRF_PROTECTION', true);

  $globaltemplates = array();       

  require_once('./global.php');

  $phpapp->session->save();
  setcookie('userid', 'uid');
  setcookie('password', 'pass');
  header("Content-Type: image/png");
?>