BPM, Workflow, and Case

Hi All,

In my application, we have our BPM Dashboard located on an external application.We have implemented TAI so that once the user is authenticated by the external app the user can seamlessly login to the BPM Dashboard without re-login.

we observed 2 issues.

1. When we logout from the external app, the BPM Dashboard session still continues. Can we invalidate the BPM session when the user logout from the external portal?

2. We have set the LTPA timeout to 120 mins but The CSHS does not time out even after 120 min. It eventually times out but only after 5-6 hours of inactivity. As far as I know, LTPA timeout does not need inactivity, even though user is actively working on the screen, the LTPA is supposed to expire after 120 mins.

Thanks

------------------------------
Harish Gupta
------------------------------

Hi Harish,

the "logged in" state in WebSphere (and thus BPM) is tracked using the LTPA cookie. Logout generally means to tell the browser "forget the cookie". Because of the same origin policy enforced by browsers, only the origin (as in https://bpm.customer.com) that has set the cookie can remove it.
To logout from BPM at the time when you log out from some other app, you would need to redirect the user's browser to e.g. https://bpm.customer.com/ProcessPortal/ibm_security_logout

Alternatively, your TAI can be configured to be invoked not only for unauthenticated requests, but for all requests. You'd need to update the TAI logic to 
- check is an LTPA cookie is present
- if so, determine the user id and call out to the other app and check logged in state there
That's really expensive.
Many variants are possible depending on the exact requirements (today and anticipated future requirements).

Regarding CSHS timeout ...
I am not sure what is supposed to expire here. LTPA might expire after 120, but your TAI might seamlessly reauthenticate the request for completing the CSHS. There shouldn't be server-side state, because CSHS were invented to scale to many browser clients without permanently occupying server side resources.

------------------------------
Jens Engelke
------------------------------

Original Message:
Sent: Sat May 23, 2020 06:22 PM
From: Harish Gupta
Subject: Session Validation for CSHS

Hi All,

In my application, we have our BPM Dashboard located on an external application.We have implemented TAI so that once the user is authenticated by the external app the user can seamlessly login to the BPM Dashboard without re-login.

we observed 2 issues.

1. When we logout from the external app, the BPM Dashboard session still continues. Can we invalidate the BPM session when the user logout from the external portal?

2. We have set the LTPA timeout to 120 mins but The CSHS does not time out even after 120 min. It eventually times out but only after 5-6 hours of inactivity. As far as I know, LTPA timeout does not need inactivity, even though user is actively working on the screen, the LTPA is supposed to expire after 120 mins.

Thanks

------------------------------
Harish Gupta
------------------------------

@Jens Engelke So what I get is, even though LTPA expires, the TAI will reset its expiry on reload of page?

I observed that when I delete the browser cookies, I can successfully end the CSHS session. Can I do it programmatically?
I tried to do it from JavaScript but it does not give me access to the HttpOnly LTPA cookies.

​

------------------------------
Harish Gupta
------------------------------

Original Message:
Sent: Mon May 25, 2020 02:00 AM
From: Jens Engelke
Subject: Session Validation for CSHS

Hi Harish,

the "logged in" state in WebSphere (and thus BPM) is tracked using the LTPA cookie. Logout generally means to tell the browser "forget the cookie". Because of the same origin policy enforced by browsers, only the origin (as in https://bpm.customer.com) that has set the cookie can remove it.
To logout from BPM at the time when you log out from some other app, you would need to redirect the user's browser to e.g. https://bpm.customer.com/ProcessPortal/ibm_security_logout

Alternatively, your TAI can be configured to be invoked not only for unauthenticated requests, but for all requests. You'd need to update the TAI logic to 
- check is an LTPA cookie is present
- if so, determine the user id and call out to the other app and check logged in state there
That's really expensive.
Many variants are possible depending on the exact requirements (today and anticipated future requirements).

Regarding CSHS timeout ...
I am not sure what is supposed to expire here. LTPA might expire after 120, but your TAI might seamlessly reauthenticate the request for completing the CSHS. There shouldn't be server-side state, because CSHS were invented to scale to many browser clients without permanently occupying server side resources.

------------------------------
Jens Engelke

Original Message:
Sent: Sat May 23, 2020 06:22 PM
From: Harish Gupta
Subject: Session Validation for CSHS

Hi All,

In my application, we have our BPM Dashboard located on an external application.We have implemented TAI so that once the user is authenticated by the external app the user can seamlessly login to the BPM Dashboard without re-login.

we observed 2 issues.

1. When we logout from the external app, the BPM Dashboard session still continues. Can we invalidate the BPM session when the user logout from the external portal?

2. We have set the LTPA timeout to 120 mins but The CSHS does not time out even after 120 min. It eventually times out but only after 5-6 hours of inactivity. As far as I know, LTPA timeout does not need inactivity, even though user is actively working on the screen, the LTPA is supposed to expire after 120 mins.

Thanks

------------------------------
Harish Gupta
------------------------------

Original Message:
Sent: 5/25/2020 6:32:00 AM
From: Harish Gupta
Subject: RE: Session Validation for CSHS

@Jens Engelke So what I get is, even though LTPA expires, the TAI will reset its expiry on reload of page?

I observed that when I delete the browser cookies, I can successfully end the CSHS session. Can I do it programmatically?
I tried to do it from JavaScript but it does not give me access to the HttpOnly LTPA cookies.

​

------------------------------
Harish Gupta
------------------------------

Original Message:
Sent: Mon May 25, 2020 02:00 AM
From: Jens Engelke
Subject: Session Validation for CSHS

Hi Harish,

the "logged in" state in WebSphere (and thus BPM) is tracked using the LTPA cookie. Logout generally means to tell the browser "forget the cookie". Because of the same origin policy enforced by browsers, only the origin (as in https://bpm.customer.com) that has set the cookie can remove it.
To logout from BPM at the time when you log out from some other app, you would need to redirect the user's browser to e.g. https://bpm.customer.com/ProcessPortal/ibm_security_logout

Alternatively, your TAI can be configured to be invoked not only for unauthenticated requests, but for all requests. You'd need to update the TAI logic to 
- check is an LTPA cookie is present
- if so, determine the user id and call out to the other app and check logged in state there
That's really expensive.
Many variants are possible depending on the exact requirements (today and anticipated future requirements).

Regarding CSHS timeout ...
I am not sure what is supposed to expire here. LTPA might expire after 120, but your TAI might seamlessly reauthenticate the request for completing the CSHS. There shouldn't be server-side state, because CSHS were invented to scale to many browser clients without permanently occupying server side resources.

------------------------------
Jens Engelke

Original Message:
Sent: Sat May 23, 2020 06:22 PM
From: Harish Gupta
Subject: Session Validation for CSHS

Hi All,

In my application, we have our BPM Dashboard located on an external application.We have implemented TAI so that once the user is authenticated by the external app the user can seamlessly login to the BPM Dashboard without re-login.

we observed 2 issues.

1. When we logout from the external app, the BPM Dashboard session still continues. Can we invalidate the BPM session when the user logout from the external portal?

2. We have set the LTPA timeout to 120 mins but The CSHS does not time out even after 120 min. It eventually times out but only after 5-6 hours of inactivity. As far as I know, LTPA timeout does not need inactivity, even though user is actively working on the screen, the LTPA is supposed to expire after 120 mins.

Thanks

------------------------------
Harish Gupta
------------------------------