*
The moose likes Websphere and the fly likes authentication cookie timeout? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Websphere
Bookmark "authentication cookie timeout?" Watch "authentication cookie timeout?" New topic
Author

authentication cookie timeout?

Steve McCain
Ranch Hand

Joined: Sep 03, 2001
Posts: 45
Using WAS 5.1 on Solaris.

Is it possible to set an expiry time for an authentication cookie (created by WAS Basic authentication) or does such a cookie persist until the browser is closed? If a timeout can be set how do I set it?
Steve McCain
Ranch Hand

Joined: Sep 03, 2001
Posts: 45
I found the following in "Enterprise Java Programming with IBM WebSphere" by K Brown et al :-

"Once a user has been authenticated into WebSphere, WebSphere generates a special client credential to keep the user from having to log in again. This credential uniquely identifies the user and is kept in a cookie that is stored in memory on the user's browser. It has an expiration time associated with it to keep someone else from finding the cookie and using it to surreptiously log in as the original user (called a relay attack) after which it is regenerated and retransmitted."

I think that what I would like to do is to be able to set an absolute expiry timeout on the authentication cookie in the way that you can set an expiry time on a session. At the moment I have an application that uses its own authentication system & I control access via Http sessions (my servlets check if there is a current session and if not I redirect to a login page and at appropriate places in the app I end the session etc) but I would now like to use WebSphere's own authentication and would like the same level of control. I need to ensure that another user using the
browser has to log in afresh and not continue where the first user left-off so I need somehow to be able to "get rid" of the authentication cookie.

thanks
Steve McCain
Ranch Hand

Joined: Sep 03, 2001
Posts: 45
talking to yourself is said to be the first of madness.

I thought perhaps I could set the max age on the authentication cookie in my servlet but when I try to find it via getCCookies() I dont see it. Can someone please explain what I'm missing here?

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: authentication cookie timeout?
 
Similar Threads
Gracefully catching the session timeout
How to do logout in struts application
Not container managed SSL login with following non secure operations
setMaxInactiveInterval and setMaxAge ?
eval & JSON