cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Logoff question - HttpSession & Security Session

Go to solution
Former Member

on ‎01-24-2006 8:39 PM

0 Kudos

Hello everyone,

I was wondering if the problem I am trying to solve was encountered by any of you.

We have a portal application that stores data into the HttpSession. Upon HttpSession timeout, we catch the appropriate events by implementing the HttpSessionBindingListener interface and do a clean-up. However, the cleanup cannot be complete unless the user is logged off entirely, including from the Security Session (or UME Session, not sure what the name is).

What happens is that the HttpSession gets invalidated/cleared but the user in not prompted with a log-in screen and hence he/she can continue navigating the portal.

Now here's what troubles me: is there a way to force the user to log-off upon HttpSession timeout?

I am very new with SAP stuff and I might not see the reason things are built the way they are but it seems to me that the two sessions are not in sync. You can easily invalidate one and the other one is still there.

Another side question would be, how else can I implement an idle timeout (i.e. after 30 minutes OF INACTIVITY, the user gets logged off)? The portal only seems to have a general timeout and not an inactivity/idle timeout setting.

Thank you in advance,

Adrian

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

detlev_beutner
Active Contributor
‎01-24-2006 10:43 PM
0 Kudos

Hi Adrian,

you are right, the HttpSession works as expectec, anyhow, the logon time is determined by the validity period of the SAPLogonTicket, issued when logging in.

See /thread/94917 [original link is broken] for a more detailed discussion.

Hope it helps

Detlev

PS: Please consider rewarding points for helpful answers on SDN. Thanks in advance!

Show replies
Show replies
Former Member
‎01-25-2006 2:36 PM
0 Kudos

Hi Detlev,

Thank you for taking the time to answer my question. While the link you've provided definitely helps me understanding better the concept, I am nowhere close to solve my problem than I was before.

I will definitely reward you the points but please take another look at my question: is there a way to implement an automatic log-off based on idle time? The SAP LOGON ticket represents a lapse time and not an idle time. The HttpSession is based in idle time but I see its benefits are ignored by the portal implementation.

Much appreciated,

Adrian

detlev_beutner
Active Contributor
‎01-25-2006 8:02 PM
0 Kudos

Hi Adrian,

it's a pity, but I don't know a workaround nor do other seem to do. The topic has been discussed several times on SDN, for it is hard to understand why within the portal runtime "good old servlet runtime designs" do not hold any longer, especially if you have been used to be a "pure" JavaWebDeveloper...

But SAP has it's own concept here, and even if I and many others would like to see the session/logon concept working as expected (i.e.: as a web developer would expect it from the classic web world), so far noone has found a workaround.

An application could try to react on session invalidation and in that case logout the user programmatically, see https://media.sdn.sap.com/javadocs/NW04/SP9/ume/com/sap/security/api/IAuthentication.html#logout(jav...

But even if your application would do so - others won't. And if the user's http session just got invalid for idle time reasons, a new session will be created immediately and he won't be logged out if he doesn't call your application in just this moment (and I'm even unsure if the new session isn't already created by the framework before you will check it; anyhow, you could check if a certain object is part of the session, so you would know if this is really an old or a new session).

Hope it helps nevertheless

Detlev

Former Member
‎01-25-2006 8:19 PM
0 Kudos

Detlev,

Excellent explanation! Now I know where I stand.

The question is now answered.

Cheers,

Adrian

Answers (0)

Ask a Question