Solved: Avoid custom auth to create new session

Dorian · ‎Jun 16, 2020

Hello,

I'm currently having trouble with my custom authenticator: each time a user logs through it, a new session is created.

My user reach my thingworx server (8.4.0-b2013) with REST call. All the process of the authentication works fine but a new session is created with each request.

After some investigation, I think only having the cookie served by thingworx across tomcat allows to find the active session. However I don't use the cookie as it would bypass my custom process of authentication.

It seems x-thingworx-session equals to true or false doesn't change anything

Maybe there is a way to find the active session without cookie

I know I could limit the maximum number of session per user in configuration, but my goal is to use data stored in the session, so even if I limit the number, a new session would be created and I will lose data already stored

Any ideas?

CharlesJi · ‎Aug 04, 2020

Hi @Dorian, I think x-thingworx-session is designed for the constantly WebSocket-connected page. For example, if you want to log in the mashup without typing in the credentials you can add appKey and x-thingworx-session parameter to do so.

And yes, I believe every login of ThingWorx will create a new session by default.

As for the setSupportsSession parameter, I'm too curious about that, I guess you can try with it. The question may become how to pass/set an existing session in customized authenticators.

View solution in original post

slangley · ‎Jun 18, 2020

Hi @Dorian.

What is the use of a custom authenticator for using a REST request?

Can you provide more information on your use case?

Regards.

--Sharon

Dorian · ‎Jun 22, 2020

Thank you for taking the time to look into the issue @slangley .
I made a custom authenticator based on Bearer Token because native auth with its use of cookies was not compliant with my client's wishes on security.

On each request, I check the bearer Token

Now, the custom authenticator works just fine: the user logs in and has access to my endpoint
It's just that new thingworx session each call business I can't figure out.
I'm looking for a way to reuse the one the user already has.

Through the APIs and documentation, I think function setSupportsSession would help, but I'm not sure at all

slangley · ‎Aug 12, 2020

Hi @Dorian.

Have you found a solution to your problem? If one of the previous responses allowed you to find a solution, please mark the appropriate one as the Accepted Solution for the benefit of others with the same issue. If you still need assistance, please let us know.

Regards.

--Sharon

CharlesJi · ‎Aug 04, 2020

Hi @Dorian, I think x-thingworx-session is designed for the constantly WebSocket-connected page. For example, if you want to log in the mashup without typing in the credentials you can add appKey and x-thingworx-session parameter to do so.

And yes, I believe every login of ThingWorx will create a new session by default.

As for the setSupportsSession parameter, I'm too curious about that, I guess you can try with it. The question may become how to pass/set an existing session in customized authenticators.

Dorian · ‎Aug 31, 2020

Hi,

Thanks for your response.

I didn't found a solution to my problem, I had to find another way

I use an appKey but even with that, a new session is created each time.

And for the question: how to pass/set an existing session in customized authenticators : no solution found.

So I create a new session each time but I limit session number to one.