Hi Harish,
the "logged in" state in WebSphere (and thus BPM) is tracked using the LTPA cookie. Logout generally means to tell the browser "forget the cookie". Because of the same origin policy enforced by browsers, only the origin (as in
https://bpm.customer.com) that has set the cookie can remove it.
To logout from BPM at the time when you log out from some other app, you would need to redirect the user's browser to e.g.
https://bpm.customer.com/ProcessPortal/ibm_security_logoutAlternatively, your TAI can be configured to be invoked not only for unauthenticated requests, but for all requests. You'd need to update the TAI logic to
- check is an LTPA cookie is present
- if so, determine the user id and call out to the other app and check logged in state there
That's really expensive.
Many variants are possible depending on the exact requirements (today and anticipated future requirements).
Regarding CSHS timeout ...
I am not sure what is supposed to expire here. LTPA might expire after 120, but your TAI might seamlessly reauthenticate the request for completing the CSHS. There shouldn't be server-side state, because CSHS were invented to scale to many browser clients without permanently occupying server side resources.
------------------------------
Jens Engelke
------------------------------
Original Message:
Sent: Sat May 23, 2020 06:22 PM
From: Harish Gupta
Subject: Session Validation for CSHS
Hi All,
In my application, we have our BPM Dashboard located on an external application.We have implemented TAI so that once the user is authenticated by the external app the user can seamlessly login to the BPM Dashboard without re-login.
we observed 2 issues.
1. When we logout from the external app, the BPM Dashboard session still continues. Can we invalidate the BPM session when the user logout from the external portal?
2. We have set the LTPA timeout to 120 mins but The CSHS does not time out even after 120 min. It eventually times out but only after 5-6 hours of inactivity. As far as I know, LTPA timeout does not need inactivity, even though user is actively working on the screen, the LTPA is supposed to expire after 120 mins.
Thanks
------------------------------
Harish Gupta
------------------------------