Adobe Solution Partner

January 30, 2008

Google API: Using gSessionId with AuthSub Part 4

Filed under: ColdFusion, Google — Tags: , , , — Steve Nelson @ 5:46 am

I swear this is a bug. It has to be a bug because it’s so ridiculous. If it’s not a bug, I hope someone can explain it.

After you finish part 1 and part 2 of logging in using Google’s AuthSub. You’ll find it’s just not enough. Something really weird happens if you attempt to get a list of calendars.

You get an HTTP 302 error. An HTTP 302 error is a redirect error. In a nutshell it’s as if they have a cflocation on the first line of their Application.cfc file (translate that into whatever language Google is using). If you automatically redirect on a page that you send a post request to, all the headers are lost. In other words, everything gets screwed up. So here’s how to fix it…

Add this code to the GoogleAuthenticate.cfc file:

<cffunction name="getCalendarSessionId" >
    <cfargument name="token" type="string"/>
    <cfset var gsessionid="">
    <cfhttp url="" method="post" redirect=false>
        <cfhttpparam type="header" name="Authorization" value="AuthSub token=#arguments.token#">
        <cfhttpparam type="header" name="Content-Type" value="application/atom+xml">
    <cfif cfhttp.responseheader.status_code is "302">
        <cfset gsessionid = listlast(cfhttp.responseheader.location, "=")>
    <cfreturn gsessionid/>

Are you confused yet? The first question to ask is… What is the token argument? Is it the first token or the second token?

Use the second token. If you really want to understand why, ask and I’ll explain.

So all we’re doing here is attempting to get a list of calendars. The cfhttpparam header passing in the token tells Google which user’s calendars to get. It’s going to fail and that’s ok, we’re expecting it to.

It’s going to return an http 302 error. That 302 error will give us a URL to redirect the user to. On the end of the URL is a gSessionId. That’s what we want. Strip off the gSessionId and cfreturn it.

This is the last of the Authsub steps you need to do. From here on out every Google API cfhttp request will include an AuthSub token in the header and the url includes: ?gsessionid=#arguments.gsessionid# Here’s an example:

<cfhttp url="" method="post" redirect=false>
<cfhttpparam type="header" name="Authorization" value="AuthSub token=#arguments.token#">

These two things tell Google who’s data to get. Again, I swear this gSessionId is a bug. In my opinion, there should be no reason you need BOTH an Authorization token AND a sessionId. They’re programmatically redundant. But, tough luck, you need them both.

Tomorrow we’ll switch gears and start looking at the Google Calendar API itself.

-Steve Nelson

Share and Enjoy:
  • Digg
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • StumbleUpon
  • Technorati
  • TwitThis

1 Comment »

  1. It’s a single-use token. From:

    “Your application constructs the appropriate AuthSub URL and then sends the user to that URL so they can log in; the AuthSub system sends the user back to the URL on your site that you specified, and returns a one-time-use token; your application optionally exchanges that token for a session token; then your application sends the token in the Authorization header with each request that the application sends to the service.”

    So first you construct the URL. The user logs in, and your callback page is visited, with a SINGLE USE token. You then use that to upgrade to a long-term, never-expires, session token. The single use token is now useless, and you can throw it away. Only the session token matters, and it lives until you specifically request to kill it.

    Comment by Chris Moschini — May 14, 2009 @ 4:03 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment


Server Down?

Maximize Web application uptime by drawing upon Webapper's years of experience tuning and stabilizing many of the world's largest ColdFusion Web applications. Contact us today!