Worklight 7.1 Session Timeout in mobile FirstHybrid application

1
votes

  I am building a hybrid application , we are facing an issue with session in application we defined 1 minute session in worklight.properties file and now after one minute if I tried to call adapter service it's still working so how can I maintain session in my application, as user is not logout. also after session out how logged in user will redirect to login page?

Here is my worklight.properties entry 

serverSessionTimeout=1 

my security realm defined below:

authenticationConfig.xml

<securityTests>

<mobileSecurityTest name="PushSecurityTest">
    <testAppAuthenticity />
    <testUser realm="AuthRealm" />
    <testDeviceId provisioningType="none" />
</mobileSecurityTest>

<customSecurityTest name="PushSecurityTestNew">
    <test realm="wl_antiXSRFRealm" />
    <test realm="wl_authenticityRealm" />
    <test realm="wl_remoteDisableRealm" />
    <test realm="wl_anonymousUserRealm" isInternalUserID="true" />
    <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" />
</customSecurityTest>

<customSecurityTest name="SubscribeServlet">
<test realm="SubscribeServlet" isInternalUserID="true"/>
</customSecurityTest>

</securityTests>
<realms>    
<realm loginModule="AuthLoginModule" name="AuthRealm">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="PushAdapter.onAuthRequired"/>
<parameter name="logout-function" value="PushAdapter.onLogout"/>
</realm>
<realm name="SubscribeServlet" loginModule="rejectAll">

 <className>com.worklight.core.auth.ext.HeaderAuthenticator</className>

</realm>
</realms>       


 <loginModules>
    <loginModule expirationInSeconds="-1" name="AuthLoginModule">
         <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
    </loginModule>


  <loginModule name="requireLogin" expirationInSeconds="-1">

  <className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>

</loginModule>


 <loginModule name="rejectAll" expirationInSeconds="-1">

<className>com.worklight.core.auth.ext.RejectingLoginModule</className>

</loginModule>


</loginModules>

Query 

How session timeout will work and how user will redirect to login page after session timeout ?

1
sessionibm-mobilefirstworklight-security
In your worklight.properties, can you check the values of mfp.session.independent and mfp.attrStore.type? - Nathan H
@NathanH mfp.session.independent and mfp.attrStore.type properties not available in my worklight.properties. - Priyank
Is your project using 7.1 from scratch, or did you import/upgrade from a previous version of MFP? - Nathan H
@NathanH it's 7.1 from scratch - Priyank
Thanks - composing an answer now. - Nathan H

1 Answers

2
votes

By default, MobileFirst Platform 7.1 uses a mode called "session independent". This means that it does not use the concept of a session at all, and the value for serverSessionTimeout is no longer relevant.

Instead, the values you should look at are the expirationInSeconds for each of your loginModule. Each Login Module can have its own expiration time. Try a value of 60 seconds and see how it affects your flow.

Regarding "how user will redirect to login page", this is all done through your challenge handler. When a request will be sent to a protected adapter, and the login module expired, you will receive the same challenge that was sent for the first request.

It is up to you, in code, to catch the challenge (with a challenge handler) and display the correct login prompt to the user.