Expand my Community achievements bar.

SOLVED

Invalidate HTTPSession when the login-token expirates

Avatar

Level 2

Hi,

 

We are storing some sensitive user information in the HTTPSession, and we would like to clear them when the login token expires. 

 

We implemented AuthenticationHandler, and used its dropCredentials() method to invalidate the HTTPSession. But this only works when user clicks logout button explicitly. However, we also want to invalidate the HTTPSession whenever the login token expires. Is there any way event that is emitted whenever the login token expires, or any specific filter to implement invalidate the HTTPSession on token expiration. 

 

Thanks.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @ansrk 

 

You can use the expiration time of your HTTPSession from org.apache.jackrabbit.oak.security.authentication.token.TokenConfigurationImpl using "tokenExpiration" field. When the expiration time is reached, login token along with HTTPSession cookie both will be expired at the same time.

 

asutosh_jena_0-1630300716380.png

 

Thanks!

View solution in original post

2 Replies

Avatar

Community Advisor

Hi,

You can create a session-check service, which will basically be checking session in some interval e.g. every 5 min via ajax call. if session is invliad, you can clear the data and perform logout as well.



Arun Patidar

Avatar

Correct answer by
Community Advisor

Hi @ansrk 

 

You can use the expiration time of your HTTPSession from org.apache.jackrabbit.oak.security.authentication.token.TokenConfigurationImpl using "tokenExpiration" field. When the expiration time is reached, login token along with HTTPSession cookie both will be expired at the same time.

 

asutosh_jena_0-1630300716380.png

 

Thanks!