Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

Invalidate HTTPSession when the login-token expirates

ansrk
Level 2
Level 2

Hi,

 

We are storing some sensitive user information in the HTTPSession, and we would like to clear them when the login token expires. 

 

We implemented AuthenticationHandler, and used its dropCredentials() method to invalidate the HTTPSession. But this only works when user clicks logout button explicitly. However, we also want to invalidate the HTTPSession whenever the login token expires. Is there any way event that is emitted whenever the login token expires, or any specific filter to implement invalidate the HTTPSession on token expiration. 

 

Thanks.

1 Accepted Solution
asutosh_jena
Correct answer by
Community Advisor
Community Advisor

Hi @ansrk 

 

You can use the expiration time of your HTTPSession from org.apache.jackrabbit.oak.security.authentication.token.TokenConfigurationImpl using "tokenExpiration" field. When the expiration time is reached, login token along with HTTPSession cookie both will be expired at the same time.

 

asutosh_jena_0-1630300716380.png

 

Thanks!

View solution in original post

2 Replies
Arun_Patidar
Community Advisor
Community Advisor

Hi,

You can create a session-check service, which will basically be checking session in some interval e.g. every 5 min via ajax call. if session is invliad, you can clear the data and perform logout as well.

asutosh_jena
Correct answer by
Community Advisor
Community Advisor

Hi @ansrk 

 

You can use the expiration time of your HTTPSession from org.apache.jackrabbit.oak.security.authentication.token.TokenConfigurationImpl using "tokenExpiration" field. When the expiration time is reached, login token along with HTTPSession cookie both will be expired at the same time.

 

asutosh_jena_0-1630300716380.png

 

Thanks!

View solution in original post