1 Reply Latest reply on Nov 17, 2005 5:32 PM by rharrington

    persisting credentials beyond session

    rharrington

      Have looked at the various suggested first stops. Haven't seen this issue discussed though.

      I understand why authentication is re-required when the session is invalidated and that session invalidation wipes out the security credential for that user. Makes perfect sense and is probably the desired behavior for many web-apps.

      I have a need to have authentication credentials persist (ie. to not make users re-login) after a session is invalidated. I have implemented this in a home-grown login module using a cookie, whose expiry date I can (obviously) set. It is currently set to 12 hours which is what our users have requested (its an internal IT app). The result is basically that most users will just need to login in the morning when they get to work, then close and re-open the browser throughout the day without having to deal with the annoyance of logging in every time they open a new browser session.

      I am porting that app to use jboss security via the DatabaseServerLoginModule and it all works great, except for the part where I am kicking users off when the session closes.

      I would think that the need for security credentials to live beyond the session is a sort of common use case. Is there support for doing something like this out of the box in jboss, or is there a generally accepted approach to doing this?

      I was thinking if I had to do it myself I would continue to drop my cookie upon successful access to the app, then on every request, read what the system says the Principal is, and if its null (due to session having been closed) I'd re-set the credentials someway from info in the cookie. I was thinking of using ClientLoginModule for this. Before I start down that road I wanted to check if there was a better or more commonly used/supported approach.

      I'm using form-based, jboss 4.0.1-sp1

      Thanks!

        • 1. Re: persisting credentials beyond session
          rharrington

          Still looking for a simple pointer for this. Sorry if its too basic for this forum, but I haven't been able to find this in the recommended sources. Again: simple web app, would like to keep login credentials alive beyond the session expiry/kill. Is there a standard way of doing this, and if not is there a recommended (custom) way?

          Thanks very much.