Versions Compared

Old Version 1

changes.mady.by.user Mr. Schmittberger

Saved on

compared with

New Version Current

changes.mady.by.user Mr. Schmittberger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Gateway: The behaviour is analogous to the core-service, no matter which authentication method is used. The only difference is that the header is called GWSESSIONID instead of JSESSIONID.

This represents the standard way of handling sessions via cookies as described in https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies and What is JSESSIONID in Java Web application.
Current HTTP Frameworks usually support automatic handling of cookies, so you don’t have to take care of the above procedure yourself. In the Apache HTTP Components, for example, creating the HttpClient as follows suffies already:

Code Block
languagejava
CookieStore cookieStore = new BasicCookieStore();
CloseableHttpClient httpclient = HttpClientBuilder.create().[...].setDefaultCookieStore(cookieStore).build();

Closing a session

Each session has a default timeout of 30 minutes after which it is automatically closed if it is not used anymore. To explicitly close a session one of the following possiblities can be employed:

  • Gateway in version >= 8.16 LTS and Core-Service:
    The header “x-os-session-keep-alive” can be sent and set to “false”. This will close the session after the current request is completed. If the header is not sent it is automatically evaluated to the value “true” which will cause the session timeout to be reset.

  • Gateway only:
    Call the URL <gateway>/logout or with versions < For gateway versions >= 8.16 LTS: Call the URL <gateway>/logout?redir=/auth/info . This will tell the gateway to close the session and it will return a HTTP 200 OK response. In
    For gateway versions before < 8.16 LTS the gateway would close the session but return a HTTP Forwarding response to the login form, which would open a new session if a valid authentication (e.g. the Basic Auth header) is available. To prevent this the : Call the URL <gateway>/logout?redir=/auth/info parameter will tell the gateway to forward to the /auth/info page which does not require authentication and thus won’t open . The redir parameter is required to prevent forwarding to the login form and opening a new session again.ö