Adobe Experience Manager Sites & More

ansrk · 8/28/21

Hi,

We are storing some sensitive user information in the HTTPSession, and we would like to clear them when the login token expires.

We implemented AuthenticationHandler, and used its dropCredentials() method to invalidate the HTTPSession. But this only works when user clicks logout button explicitly. However, we also want to invalidate the HTTPSession whenever the login token expires. Is there any way event that is emitted whenever the login token expires, or any specific filter to implement invalidate the HTTPSession on token expiration.

Thanks.

Asutosh_Jena_ · 8/29/21

Hi @ansrk

You can use the expiration time of your HTTPSession from org.apache.jackrabbit.oak.security.authentication.token.TokenConfigurationImpl using "tokenExpiration" field. When the expiration time is reached, login token along with HTTPSession cookie both will be expired at the same time.

Thanks!

View solution in original post

arunpatidar · 8/29/21

Hi,

You can create a session-check service, which will basically be checking session in some interval e.g. every 5 min via ajax call. if session is invliad, you can clear the data and perform logout as well.

Arun Patidar

Asutosh_Jena_ · 8/29/21

Hi @ansrk

You can use the expiration time of your HTTPSession from org.apache.jackrabbit.oak.security.authentication.token.TokenConfigurationImpl using "tokenExpiration" field. When the expiration time is reached, login token along with HTTPSession cookie both will be expired at the same time.

Thanks!

Adobe Experience Manager Sites & More

Invalidate HTTPSession when the login-token expirates

Arun Patidar

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe