Hi All, *How do we handle authenticated user session currently*
We use Hazelcast cache in the gateway and once user first authenticated from the IdP, we create a new cookie and put it to this cache. Then all other web app access requests are served from gateway cache until it get expired, without calling IdP for each page load. *Issue with above model* We have used default CacheManager to initialize above mentioned cache which has 15 min of expiry time. By default IdP session also set to 15 min. Even though user actively accessing the app till the 15 min, IdP will see him as a idle user since request are not going to IdP and served from the gateway cache. Hence, both GW cache and IdP session get cleared at after 15min and user get redirect to login page. *Solution* As per the discussion had with Dulanja, instead of using default cache manager, we could initial a cache manager which expired based on last access time. Refer thread [1]. So that gateway cache (session) will be active as long as user accessing the web app. But IdP will get timeout which won't be an issue to access the app. But can this cause security threat since cache won't get expired as long as user is active ? [1]. [Dev] Set a desired value to HazelCast Cache Timeout Regards, Dinusha. -- Dinusha Dilrukshi Associate Technical Lead WSO2 Inc.: http://wso2.com/ Mobile: +94725255071 Blog: http://dinushasblog.blogspot.com/
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture