Jump to content
Sign in to follow this  
anonymous

Handling expiry of SessionId

Recommended Posts

Hi,

I am using CIAPI to log users in. I was wondering what the recommended pattern for handling expiry of sessionId is. I would like to be able to re-authenticate the user when their sessionId becomes invalid without forcing the user to log in again. Is this possible? I know a recent version of the API provides a logIn function that accepts a sessionId but if the sessionId is invalid, will this still work? Any information that you can provide me will be greatly appreciated.

Thanks.

Share this post


Link to post
Guest andreif

If you really need to reinitialize session transparently to the user (and you understand possible security risks), then you can store username and password inside your program and re-Login automatically if session expires.

Share this post


Link to post
Guest mrdavidlaing

You will know that a users session has expired because all API requests will start returning 401 errors with the following error detail:

{"HttpStatus":401,"ErrorMessage":"Session is not valid","ErrorCode":4011}

In your global error handler you should detect this error, and show the user the login box so they enter their password again.

The only way to do this transparently would be to cache the users password, which I consider to be a security risk.

You can simulate the session expiring by making a call to delete session, and then continuing to attempt to use that session is further calls.

Share this post


Link to post
Guest andreif

If you really need to reinitialize session transparently to the user (and you understand possible security risks), then you can store username and password inside your program and re-Login automatically if session expires.

Share this post


Link to post
Guest sky.sanders

ok, i have to agree with everything that has been said so far. holding onto a user’s credentials must not be taken lightly.

but…..

if you must implement transparent session renewal you should derive from CIAPI.Rpc.Client and override EndRequest.

wrap the call to base.EndRequest in a try and examine caught exceptions for 401 session not valid and take the appropriate action.

that will not help you for the request that failed though…..

so another approach would be to proactively log a user in at a regular interval which would be less than the typical API session lifespan.

Reacting to exceptions is probably the lesser of the two approaches, in most situation.

But any strategy requires storing the user’s credentials.

hth – if i did not understand your question please feel free to let me know.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×