cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Want the oppurtunity to discuss enhancements to PTC products? Join a working group! X

Avoid custom auth to create new session

Dorian
6-Contributor

Avoid custom auth to create new session

Hello,

 

I'm currently having trouble with my custom authenticator: each time a user logs through it, a new session is created.


My user reach my thingworx server (8.4.0-b2013) with REST call. All the process of the authentication works fine but a new session is created with each request. 


After some investigation, I think only having the cookie served by thingworx across tomcat allows to find the active session. However I don't use the cookie as it would bypass my custom process of authentication.

 

It seems x-thingworx-session equals to true or false doesn't change anything 


Maybe there is a way to find the active session without cookie

 

I know I could limit the maximum number of session per user in configuration, but my goal is to use data stored in the session, so even if I limit the number, a new session would be created and I will lose data already stored

 

Any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
CharlesJi
14-Alexandrite
(To:Dorian)

Hi @Dorian, I think x-thingworx-session is designed for the constantly WebSocket-connected page. For example, if you want to log in the mashup without typing in the credentials you can add appKey and x-thingworx-session parameter to do so.

And yes, I believe every login of ThingWorx will create a new session by default.

As for the setSupportsSession parameter, I'm too curious about that, I guess you can try with it. The question may become how to pass/set an existing session in customized authenticators.

View solution in original post

5 REPLIES 5
slangley
23-Emerald II
(To:Dorian)

Hi @Dorian.

 

What is the use of a custom authenticator for using a REST request?

 

Can you provide more information on your use case?

 

Regards.

 

--Sharon

Dorian
6-Contributor
(To:slangley)

Thank you for taking the time to look into the issue @slangley .
I made a custom authenticator based on Bearer Token because native auth with its use of cookies was not compliant with my client's wishes on security.

On each request, I check the bearer Token

Now, the custom authenticator works just fine: the user logs in and has access to my endpoint
It's just that new thingworx session each call business I can't figure out.
I'm looking for a way to reuse the one the user already has.

 

Through the APIs and documentation, I think function setSupportsSession would help, but I'm not sure at all

slangley
23-Emerald II
(To:slangley)

Hi @Dorian.

 

Have you found a solution to your problem?  If one of the previous responses allowed you to find a solution, please mark the appropriate one as the Accepted Solution for the benefit of others with the same issue.  If you still need assistance, please let us know.

 

Regards.

 

--Sharon

CharlesJi
14-Alexandrite
(To:Dorian)

Hi @Dorian, I think x-thingworx-session is designed for the constantly WebSocket-connected page. For example, if you want to log in the mashup without typing in the credentials you can add appKey and x-thingworx-session parameter to do so.

And yes, I believe every login of ThingWorx will create a new session by default.

As for the setSupportsSession parameter, I'm too curious about that, I guess you can try with it. The question may become how to pass/set an existing session in customized authenticators.

Dorian
6-Contributor
(To:CharlesJi)

Hi, 

Thanks for your response.

I didn't found a solution to my problem, I had to find another way  

I use an appKey but even with that, a new session is created each time.

And for the question: how to pass/set an existing session in customized authenticators : no solution found.

 

So I create a new session each time but I limit session number to one.

Top Tags