On top of this, we can provide 'session activity' to end users. That will eliminate some of security concerns
On Tue, Feb 2, 2016 at 3:50 PM, Dinusha Senanayaka <[email protected]> wrote: > Hi All, > > *How do we handle authenticated user session currently* > > We use Hazelcast cache in the gateway and once user first authenticated > from the IdP, we create a new cookie and put it to this cache. Then all > other web app access requests are served from gateway cache until it get > expired, without calling IdP for each page load. > > *Issue with above model* > > We have used default CacheManager to initialize above mentioned cache > which has 15 min of expiry time. By default IdP session also set to 15 min. > Even though user actively accessing the app till the 15 min, IdP will see > him as a idle user since request are not going to IdP and served from the > gateway cache. Hence, both GW cache and IdP session get cleared at after > 15min and user get redirect to login page. > > *Solution* > > As per the discussion had with Dulanja, instead of using default cache > manager, we could initial a cache manager which expired based on last > access time. Refer thread [1]. So that gateway cache (session) will be > active as long as user accessing the web app. But IdP will get timeout > which won't be an issue to access the app. But can this cause security > threat since cache won't get expired as long as user is active ? > > [1]. [Dev] Set a desired value to HazelCast Cache Timeout > > Regards, > Dinusha. > > -- > Dinusha Dilrukshi > Associate Technical Lead > WSO2 Inc.: http://wso2.com/ > Mobile: +94725255071 > Blog: http://dinushasblog.blogspot.com/ > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- /sumedha m: +94 773017743 b : bit.ly/sumedha
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
