Expand my Community achievements bar.

Adobe Summit 2025: AEM Session Recordings Are Live! Missed a session or want to revisit your favorites? Watch the latest recordings now.
Watch Now!

Mark Solution

This conversation has been locked due to inactivity. Please create a new post.

SOLVED

Update expired time for login-token cookie

Avatar

Level 2
Level 2
7/7/17 12:38:05 AM

Hi,

I am using AEM 6.1 and having a problem which login-token cookie is a session cookie and will automatically be cleaned when browser closed.

My question is, could we update the expired time for that cookie so it will be retaining for a period of time on client site.

I did a lot of searches but they were only mentioning to how to configure the server site token (under "/home/users/usernode").

Furthermore, if my thing is possible to do, does it cause any security problem?

Is it a good practise to do it by apache mod_header (override the set-cookie response header)?

Regards,

Thanh

Capture.PNG

Views

8.3K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 2
Level 2
7/13/17 9:34:10 PM

Hi,

My solution: Because “login-token” cookie is from OTB Token Login Module of AEM, we cannot edit the Expired/Max-age from AEM site unless creating new login module. The easiest way is using Apache Http mod_header to override the “SetCookie login-token” of “Response header” of “authentication request”.

Area 1: Using Apache Http Mod_Header rewrite setcooke header of authentication response.

Add this line of code to apache configuration:

Header edit Set-Cookie ^(login-token.*)$ $1;max-age=99999999

Area 2: Configure Server site “Expire Session” to make expired time consistent with client cookie.

http://aemfaq.blogspot.com.au/2014/10/how-to-set-timeout-for-login-token.html

View solution in original post

Views

4.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Administrator
Administrator
7/7/17 5:39:59 AM

See this :- FAQ: How to set timeout for login-token

// For AEM 6+ 

configure tokenExpiration at http://<host>:<port>/system/console/configMgr/org.apache.jackrabbit.oak.security.authentication.token.TokenConfigurationImpl

Also make sure to set Token Length otherwise will throw exception "org.eclipse.jetty.servlet.ServletHandler / java.lang.IllegalArgumentException: Invalid token ''"

More details on AEM6+ refer http://jackrabbit.apache.org/oak/docs/security/authentication/tokenmanagement.html

Source :- FAQ: How to set timeout for login-token

~kautuk



Kautuk Sahni

Views

4.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Administrator
Administrator
7/7/17 5:40:51 AM

FYI:- How to close user session after 30 minutes of inactivity In AEM 6.1

~kautuk



Kautuk Sahni

Views

4.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
7/9/17 7:44:51 PM

Hi Kautuk,

Thanks for your answer, those of your references were talking only about token configuration at server site. but My question was about client site cookie "login-token" (Session ID).

The authentication process is, AEM uses a cookie name "login-token" as a session ID which is stored on user's browser (Client site). For subsequent requests, AEM will use that cookie "session id" to query the session object under "/home/users/<usernode>/.token". Therefore "session expired time" is a property of node ".token" (Server site).

I am thinking of using Apache Http to rewrite the cookie.

Regards,

Thanh

Views

4.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 2
Level 2
7/13/17 9:34:10 PM

Hi,

My solution: Because “login-token” cookie is from OTB Token Login Module of AEM, we cannot edit the Expired/Max-age from AEM site unless creating new login module. The easiest way is using Apache Http mod_header to override the “SetCookie login-token” of “Response header” of “authentication request”.

Area 1: Using Apache Http Mod_Header rewrite setcooke header of authentication response.

Add this line of code to apache configuration:

Header edit Set-Cookie ^(login-token.*)$ $1;max-age=99999999

Area 2: Configure Server site “Expire Session” to make expired time consistent with client cookie.

http://aemfaq.blogspot.com.au/2014/10/how-to-set-timeout-for-login-token.html

Views

4.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
After Installing AEM Service pack 22, Imported Package not resolved for AEM UI WCM Admin Bundle(com.adobe.cq.ui.admin) Solved

Views

119

Likes

0

Replies

3
How do access unifi's <<learningmanager.adobe.com/unifilearning>> at home? unable to access this website for some reason.

Views

36

Likes

0

Replies

0
Enable "Export to Metadata" for individual assets in AEM

Views

88

Likes

0

Replies

1
Hide dialog for a specific dropdown value

Views

128

Likes

0

Replies

5
EDS - Setup 404 and 500 error pages for Shared Repository (Repoless)

Views

114

Likes

0

Replies

4