Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Session Timeout Value - "Sling Authenticator"

Avatar

Level 2

Hi,

We are using out of the box "Sling Authenticator service"  for login , Can someone tell me how do i make sure that session never times out? Any configuration?

 

@SlingServlet(paths = "/bin/tnt/login", extensions = "html")public class LoginServlet extends SlingAllMethodsServlet {private static final long serialVersionUID = 1L;@Reference(cardinality = ReferenceCardinality.OPTIONAL_UNARY, policy = ReferencePolicy.DYNAMIC)private volatile Authenticator authenticator;@Override    protected void doPost(final SlingHttpServletRequest request, final SlingHttpServletResponse response)throws ServletException, IOException {authenticator.login(request, response); }

}

 

 

Regards

1 Accepted Solution

Avatar

Correct answer by
Employee

Hi,

For this requirement, you'll need to implement your own AuthenticationHandler which implements a cookie-based "Remember Me" type of functionality. The tokens used in AEM are not meant to be used for long-lived logins in the manner you are describing.

Regards,

Justin

View solution in original post

10 Replies

Avatar

Level 3

Could be wrong but have you tried changing the Day CQSE HTTP Service timeout setting?

Avatar

Level 10

I think you need to create a custom authenticator to handle this !

Avatar

Level 2

Hi Scot,

Is Form Based Auth Handler service available in AEM6.0 Sp1 ? I don't find this. is this removed in AEM6.0 ??

Avatar

Employee Advisor

Hi,

Why do you want sessions never to time out? Only for a specific user?

kind regards,
Jörg

Avatar

Level 2

Hi,

This is for all the users not for specific user.

Requirement was once login in to that site, never expire that login session. From a business usecase of this client , it really makes sense given the kind of users they deal with - it would certainly increase their site visits given their usecases.

Apparently, i am kind of struck how to enable "never expire login session" or atleast figure out a way to set a higher expiration let's say  "1 Month".

I was thinking Form Authentication Handler would help here - given that it has option to provide "Session Expiry Val" and also ability to use Cookie based rather than Session bound.

Can you Please let me know how to proceed with Form Auth Handler with AEM6.0?

I've been with CQ for 4years - never struck like this before :) any help greatly appreciated.

Thanks

Avatar

Level 10

You can configure Sling Authentication service here:

http://localhost:4502/system/console/configMgr

[img]authconfig.png[/img]

However - not seeing a timeout value. You may have to write a custom service for this. 

Watch Justin' s session on secure web sites. 

See: http://adobe.ly/1F5VLpH.

Avatar

Level 2

Thanks everyone for the responses.

I was thinking may be the FormAuthenticationHandler would help here..this has the option to specify session expiry val??

http://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationh...

Alternatively, i was wondering if just changing the below token expiration below helps ?

org.apache.jackrabbit.oak.security.authentication.token.TokenConfigurationImpl

Avatar

Level 2

hi scott, your thoughts on the above?

Avatar

Correct answer by
Employee

Hi,

For this requirement, you'll need to implement your own AuthenticationHandler which implements a cookie-based "Remember Me" type of functionality. The tokens used in AEM are not meant to be used for long-lived logins in the manner you are describing.

Regards,

Justin

Avatar

Level 2

Hi Justin,

Thank you for clarifying. 

Do you have a example/sample Custom Auth Handler for cookie based remember me login functionality. It would be great if you can help me with some links/blogs/code samples if you have any.

Regards