Invalidate HTTPSession when the login-token expirates

Question

Hi,

We are storing some sensitive user information in the HTTPSession, and we would like to clear them when the login token expires.

We implemented AuthenticationHandler, and used its dropCredentials() method to invalidate the HTTPSession. But this only works when user clicks logout button explicitly. However, we also want to invalidate the HTTPSession whenever the login token expires. Is there any way event that is emitted whenever the login token expires, or any specific filter to implement invalidate the HTTPSession on token expiration.

Thanks.

Asutosh_Jena_ · Accepted Answer

Hi @ansrk

You can use the expiration time of your HTTPSession from org.apache.jackrabbit.oak.security.authentication.token.TokenConfigurationImpl using "tokenExpiration" field. When the expiration time is reached, login token along with HTTPSession cookie both will be expired at the same time.

Thanks!

arunpatidar · Answer

Hi,You can create a session-check service, which will basically be checking session in some interval e.g. every 5 min via ajax call. if session is invliad, you can clear the data and perform logout as well.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded